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1 INTRODUCTION 


This edition of the OneOS Book corresponds to the V4.3R4E21 and V5.1R3E1 software release of 
OneOS. It is also available for all previous software releases of OneOS according to the features matrix 
described hereafter. 


The OneOS software developed for use with the ONE product range offers an extensive range of features 
designed to provide a complete & highly powerful range of multi-service access routers: 


e Full IP router with NAPT, Security, and Quality of Service management 

e Support of voice for analog and ISDN SO/TO terminals using Voice over IP and Voice over ATM 
e —_Interworking of data protocols (FR, X.25, PAD, XOT, X.31) 

e Advanced management tools based on CLI (Command Line Interface), SNMP, FTP/TFTP 


This document is the OneOS user guide for Bridging and LAN functions of the OneOS-based range 
products. 


Seven other user guides and two global indexes are available: 
o OneOS — Admin User Guide 
o OneOS —- Basic IP User Guide 
o OneOS — Advanced IP User Guide 
o OneOS — WAN User Guide 
o OneOS — VoIP User Guide 
o OneOS — VoATM & CES User Guide 
o OneOS — IBC User Guide 
o Index of OneOS User Guides (global table of contents) 
o Index of CLI of OneOS User Guides (global list of CLI commands) 
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1.1 FEATURE MATRIX 


The following table is a resource providing edition by edition the released features. The table was done as 
of the V3.5R2E3 software release. For simplification, the indicated software release shows the presence of 
a feature in a given software release starting with V3.5R2E3. It should be noted that most features were 
available in earlier versions. 


ETH Interfaces 
(physical layer) 
Ethernet OAM 
(CFM) 
WLAN 
WiFi Protected Set-up (WPS): PIN and PBC modes 

VLAN 
Bridging 


BVI attachment to a PVC (frames are emitted with the V3.5R2E3 
IPOEOA encapsulation, LLC mode) 

Integrated Routing and Bridging (IRB): Multiplexing BV! and V3.5R2E3 
IPOA flows over a PVC 

Integrated Routing and Bridging (IRB): Multiplexing BV! and V3.5R2E3 
PPPoEOA flows over a PVC 

Priority Queuing of priority tagged frame V3.5R2E3 
IGMP snooping (RFC 4541) on bridge group with BVI V4.3R4E14 


Pseudowire Pseudowire encapsulation edge-to-edge (RFC 3945) V5.1R3E1 
encapsulation | | ayer 2 Control Protocol (L2CP) tunneling V5.1R3E1 


edge-to-edge 
XPWE3) 3 Encapsulation Methods for Transport of Ethernet over V5.1R3E1 
MPLS Networks type 4 and 5 (RFC 4448) 
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IP-based MPLS encapsulation using generic routing V5.1R3E1 
encapsulation (GRE) according to RFC 1423 


QoS mapping V5.1R3E1 
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2 


ETHERNET PORT PHYSICAL LAYER CONFIGURATION 





2. 


1 ETHERNET PORT NUMBERING 


The OneOS-based routers have several Ethernet ports. Here are the guidelines to understand port 
numbering. The basic syntax to enter the interface configuration mode is: 


interface <type> <module>/<port> 


| Product Ethernet Port Type Module/Port Designation 


ONE30 4 x Ethernet 10/100 FastEthernet 0/0 up to 0/3 (from left to right) 


ONE20A 4 x Ethernet 10/100 (Basic configuration)| FastEthernet 0/0 up to 0/3 (from right to left) 
ONE100A Ethernet 10/100 (ONE100A Option) FastEthernet 1/0 (leftmost) 


ONE20D/M 
ONE80XM 5 x Ethernet 10/100 
ONE100D/M 


FastEthernet 0/0 up to 0/3 (from right to left) 
FastEthernet 1/0 (leftmost) (*) 


ONE50 4 x Ethernet 10/100 (Basic configuration)| FastEthernet 0/0 up to 0/3 (from right to left) 
ONE150 Ethernet 100 (Uplink Option) FastEthernet 1/0 (SFP port) 


Ethernet 10/100 (Basic configuration) FastEthernet 0/0 (leftmost when facing device back panel) 


ONE60 
ONE200 4 x Ethernet 10/100 (Option) 


FastEthernet 0/1 up to 0/4 (from left to right, next on the left of 
FastEthernet 0/0) 


1440 Ethernet 10/100/1000 (Uplink Option) GigabitEthernet 1/0 (dual SFP/RJ45 port) 


ONE70 
ONE700 4 x Ethernet 10/100/1000 GigabitEthernet 0/0 to 0/3 (from left to right) 


ONE180 4 x Ethernet 10/100 (Basic configuration)} FastEthernet 0/0 up to 0/3 (from right to left) 
ONE300 Ethernet 10/100 (Option ONE300) FastEthernet 1/0 (leftmost) 





Ethernet 100 FastEthernet 0/0 (Disabled if the 4 x 10/100 module is added) 
ONE400 


4 x Ethernet 10/100 (Option) FastEthernet 0/1 up to 0/4 (from left to right) 


Ethernet 10/100 (Uplink Option) FastEthernet 1/0 


ONECell25 > x Ethernet 10/100 FastEthernet 1/0 (leftmost when facing the device back panel) 
ONECell35 FastEthernet 0/0 (rightmost when facing the device back panel) 


(*) This interface FastEthernet only supports the 100 Mbps full-duplex operations in auto-sense mode. If 
connected in 10 Mbps or half-duplex, this interface will not connect. The problem can appear mostly with 
devices forced in such modes or with old Ethernet hubs. 
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2.2 ETHERNET PHYSICAL LAYER CONFIGURATION 


2.2.1 Sensing mode 


When the FastEthernet interface (including the Gigabit port used as a Fast Ethernet UTP port) is in auto- 
sensing mode, the interface attempts to negotiate the fastest mode for transmitting over the Ethernet. If the 
remote equipment connected to the fast Ethernet interface of an OneOS-based router has enabled 
negotiation, full-duplex and 100 Mbps are preferred. 


You can force the Fast Ethernet interface to use a specified mode as follows: 
CLI(configure)> interface { fastethernet | gigabitethernet} <module/port> 
CLI (config-if)> duplex { full | half | auto } 
CLI (config-if)> speed { auto | 10 | 100 } 

If the remote port does not negotiate, there are two cases to consider: 


e With a module without switch: if no mode is forced, the device uses the most conservative mode (half 
duplex) and the locally measured speed is chosen (10 or 100). If the duplex mode and speed are 
forced, the configured parameters are used. 


e With a module with switch: the negotiation must be disabled to make the FastEthernet complete its 
configuration. If no mode is forced, the device uses the most conservative mode (half duplex) and the 
locally measured speed is chosen (10 or 100). 


CLI (config-if)> no negotiation 


To re-enable auto-negotiation: 


CLI (config-if)> negotiation auto 


The default values are: duplex auto, soeed auto, negotiated. 
22.2 Crossover mode and cable adaptation 


It is possible to set some characteristics of every Fast Ethernet ports (including Gigabit ports used as Fast 
Ethernet UTP ports) only when the router is equipped with an Ethernet switch. The default mode is 
automatic crossover. But you can change the interface so that it is always straight (MDI) or crossed 
(MDIX): 


CLI(configure)> interface { fastethernet | gigabitethernet} <module/port> 
CLI (config-if)> phy crossover { default | MDI | MDIx | auto } 
To configure an extended cable length: 


CLI (config-if)> phy extended-distance { default | normal | enabled } 


To configure the switch to be optimized for shielded/unshielded cable: 


CLI (config-if)> phy twisted-pair { default | unshielded | shielded } 
2.2.3 Dual media type interface 


For OneOS-based routers fitted with a dual media port (optical SFP and electrical RJ45), the following 
command allows selecting which physical connector has to be used (SFP by default). 


CLI(configure)> interface { fastethernet | gigabitethernet} <module/port> 
CLI (config-if)> media-type { rj45 | sfp } 


You must reboot your target after saving the configuration 


Note that to be taken into account this command requires a reboot of the router after having saved 
the configuration using save running-config. 


Bridging & LAN User Guide Page 2.2-10 of 89 


ONEOS V4.3R4 /V5.1R3 BRIDGING & LAN USER GUIDE (EDITION 10) 


2.2.4 


Statistics 


Use the following command in global mode to display Ethernet physical layer configuration: 


CLI> show configuration interface {fastethernet | gigabitethernet} <unit> 


CLI> show configuration interface fastethernet 0 


Negotiation: auto def: auto 
Duplex: auto def: auto 
Speed: auto def: auto 

phy crossover: auto def: auto 

phy extended-distance: normal def: normal 

phy twisted-pair: unshielded def: unshielded 


Use the following command in global mode to display actual statistics of Ethernet interfaces: 


CLI> show system statistics { fast-—ethernet | gigabit-ethernet } <unit> 


CLI> show system statistics fast-ethernet 0 
Ethernet switch/hub device 


If status : int 0 int 1 ae 2 int 3 
Auto-nego yes 2 Zz 2 
Link is up down down down 
Speed 100Mb/s 2 ? 2 
Duplex full ? ? ? 
Phy ‘Specific: Control 
Crossover auto auto auto auto 
ExtdDistance normal normal normal normal 
Twisted-pair unshielded unshielded unshielded unshielded 
Rx error count 0) 0 0 0 
Switch status : int. 0 Tie, ik Int. 2 int 3 internal 
Rx frame count 3183 0 0) 0 6294 
Tx frame count 6294 0 0 0 SLB3 
Tx frame check 6294 0 0 0 6294 
Tx fem Dry -eur 6294 0 0 0) 
Tx firm Dry: pry 6294 0 0 0 
Tx frz prd max 0 0 0 0 
Tx fr2-Pstrt 0 0 0 0 
Polling Mode : Hie 
OAPOLLING_INTR_FCC 
Driver Informations 
TX BDs available = 82 
(next to write = 22 , next to read = 104) 
(total number = 128 , threshold = 32) 
rxbufSize = 2048 , rxOffset = 102 
bdSize = 2048 


RX activity Entries = 3448 Exits = 3448 (Exits with AddJob = 0) 
Processed BDs/Frames (including following errors) = 3183 
Error too short = 0 
Error Cl/Mblk Alloc = 
Error port id not found 
Error RX stalled 
RTP filterered out = 
Max capacity reached = 
MC dropped = 
BC dropped = 
Received BDs/Frames with Erro 
Length (LARGE _PKT_RCV) = 
Length (LEN_ERROR) 
Alignment = 
CRC = 
Overrun = 
Free Rx queue min O max 256 elm max 256 “count 127 full N empty N 
Tx Free queue min O max 256 elm max 256 count 46 full N empty N 
RX queue min O max 128 elm max 128 count O full N empty Y 


OOOO OnK OOOO CO CO oO 


s (from FEC) = 0 


6294 


Te aCrivet y Entries = 6294 Exits OK 
Transmit packets with Errors = 0 
Transmitted with a deferral 
Single collision = 
Multiple collisions = 
Dropped due to core FIFO underrun = 
Dropped due to late collision = 
numZcopysends = 
TxRestartAddJob OK = 
TX numStallsEntered = 


4 numNonZcopySends = 6280 
TxRestartAddJob KO = 
numStallsCleared 


COrRCCCOSO 
| 
co) 


| 
co) 
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Current Stall State = 0 
TX queue min O max 128 elm max bao COunt O full N empty Y 
Miscellaneous 
Fec Start Entries = 0 Exits OK = 0 
Fec Stop Entries = 0 Exits OK = 0 
rxAlignErrs = QO (0) 
rxLateCols = QO (0) 
rxCRCErrs = QO (0) 
rxLargePkts = O (0) 
rxXRxOFullErrs = QO (0) 
rxMIIErrs = QO (0) 
rxRuntPkts = O (0) 
rxFreeQEmptyErrs = O (0) 
txDeferredPkts = O (0) 
tx1lColPkts = O (0) 
txMultColPkts = QO (0) 
txCoreFifoErrs = QO (0) 
reserved_0 = O (0) 
reserved_l = 116733 (0) 
txDroppedPkts = O (0) 
txLateCols = O (0) 


FEC NetPool Id = 0x8199CABO 


Use the following command in global mode to reset actual statistics counters: 


CLI> show configuration interface { fastethernet | gigabitethernet } 
<unit> reset 


2.2.5 SFP module identification 


For OneOS-based routers fitted with a SFP port, the following command allows retrieving the SFP module 
characteristics: 


CLI> show transceiver equipment 


SFP module inventory information: 


Physical device = SFP transceiver 
connector = LC 
vendor: 
name = ONE ACCESS 
id = 000 
partNumber = 0A501150 
revision = 
serialNumber = MA09030370030 
dateCode = OO Oleg 
transceiver: 
sonetOc48 = not available 
sonetOc12_ 3 = OC 3, single mode inter. reach 
gigaEthernet = not available 
fiberLinkLen = not available 
fiberTech = not available 
fiberTxMedia = not available 
fiberSpeed = not available 
encoding = Reserved 
nominalBitRate = 100 Mbps 


Link léengeh ins 


Single fiber mode = 15 km 
Single fiber mode = 15000 m 
50u multi-mode fiber = Om 
62.5u multi-mode fiber = Om 
copper cable = Om 
options = Loss of Signal 


TX_FAULT signal 
TX_DISABLE signal 
not specified 

not specified 


Max bit rate 
min bit rate 


After a SFP module is inserted, it takes some seconds for its characteristics can be read. During this 
period, the following message is displayed: 


CLI> show transceiver equipment 


Waiting for diagnostic monitoring information to settle down 
Please try again after a few seconds 


In case no module is present: 


CLI> show transceiver equipment 


No SFP module present 
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See alSO show interfaces <type> <unit> transceiver command in "IPv4 Statistics" chapter of 
"OneOS — Basic IP User Guide" document. 


2.2.6 Test mode 


In some cases, It is desirable to force an Ethernet port in "up" state, although no cable is connected. This 
permits the testing of some functions (e.g. routing) before connecting the router to a live customer network. 
The command is the following: 


CLI (config-if)> no keepalive 
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3 ETHERNET OAM 


This section explains the Ethernet OAM functionality on the OneOS-based routers. OAM stands for 
Operations, Administration and Maintenance. |t thereby explains several applicable standards that provide 
the following functionality: 


e ITU-T Y.1731 — OAM functions and mechanisms — allows detecting problems and providing 
performance management in the Ethernet network. 


e IEEE 802.1ag — Connectivity Fault Management (CFM) — allows detecting problems in the Ethernet 
network. 


And also: 


e IEEE 802.3ah — clause 57: Operations, Administration, and Maintenance (OAM) — allows monitoring 
the quality of a point-to-point Ethernet link. 


e MEF 17 — Service OAM requirements and framework — describes the framework for detecting 
problems and providing performance management in the Ethernet network. 








I I 

100FX 100FX 
Customer | Media Media Media Media I Customer 
Equipment ] Converter Converter Converter Converter I Equipment 


901Nap uoITeoJeWAp [e1°Z08 
Sd1Aap uOITeOIeWAp [e1"Z0g 
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The following table provides an overview of the functionalities of the standards: 


\Standard ITU-T Y.1731 messages, | IEEE 802.1ag messages,| IEEE 802.3ah (clause 57) 
Function\ replies and indications | replies and indication functions 


Fault management 


[Fautnoticaion | AIS/RDI—~PRDI_—=~S*S*~*d CR ale cation 
N/A 


Frame loss ratio Continuity Check, 
poops ie Mace Link monitoring with 


Frame delay Delay Measurement N/A threshold crossing alarms 
Frame delay variation Delay Measurement N/A 
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3.1 CONNECTIVITY FAULT MANAGEMENT: 802.1AG/Y.1731 


The IEEE 802.1ag and ITU-T Y.1731 standards provide CFM or Connectivity Fault Management over the 
Ethernet network, i.e. full OAM functionality. 


Both standards are functionally compatible. However, throughout the entire Ethernet OAM network, the 
same standard must be used everywhere. 


3.1.1 Why Ethernet OAM? 


Before the era of Ethernet OAM, Ethernet was a best-effort type of network: there was no QoS, no SLA.... 
This has changed with the arrival of Ethernet OAM. 


There is a need for Ethernet Service Level Agreements (SLA) and service intelligence, as found in 
competing services (FR, ATM...). 


End-to-end performance verification is needed; SLA must be verified. Ethernet OAM can provide 
performance metrics in order to accomplish this. 


SLA performance service parameters are: 


e Availability. This is the service uptime expressed as a percentage of time, e.g., 99.99% or 99.999% 
availability for the service. 


e Frame Delay. The maximum frame delay for x% of ClR-conforming frames is continuously monitored 
over a specified interval. Delay can be specified on either a roundtrip or one-way basis. Roundtrip is 
adequate for most applications, while one-way is important for broadcast applications such as video. 


e Frame Jitter. This is defined as the difference between the maximum and minimum delays in the 
frame delay test. 


e Frame Loss. This is the percentage of ClR-conforming frames that are dropped during transport. 


3.1.2 Demarcation 


OAM brings intelligence into the Ethernet network. In order to realize end-to-end performance verification, 
an Ethernet network is divided, demarcated, into maintenance domains. 


Devices that set the boundaries of the maintenance domains are referred to as demarcation devices. 
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3.1.3 Maintenance domains 


The following figure illustrates the different domains that are defined by the Ethernet OAM standards: 
e Customer OAM domain. 

e Provider OAM domain. 

e Operator OAM domain. 


, Customer — || Service provider =” Operator = —_ Service provider | Customer | i 





Customer domain 





Provider domain 


| Operator Operator domain | Operator 
domain domain 


The customer enters into an end-to-end service contract with the provider; the provider enters into a 
contract with the operator, to realize network facilities. 


The OAM maintenance domains facilitate manageability and accountability, so that responsibilities among 
the different parties are clearly demarcated. 


OAM maintenance domains can nest but not overlap; OAM information must be prevented from leaking 
between the different domains. 
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3.1.4 Maintenance points 


Depending on the position in the Ethernet OAM network, devices are referred to as Maintenance End Point 
(MEP) or Maintenance Intermediate Point (MIP); this is illustrated in the following figure: 


Customer Service provider Operator Service provider ; Customer 


y-F == 
a S&S &- 


BRE o SR ES 


Eth Access MPLS Core MPLS Access 










Customer domain 


Provider domain 





Operator : Operator domain : Operator 
domains: / domain 
: MPLS domain | MPLS 
Vv = Maintenance End Point domain 


@ = Maintenance Intermediate Point 


A MEP is a Maintenance End Point. This is a CFM station that can initiate, terminate and react to CFM 
messages. 


A MIP is a Maintenance Intermediate Point. This is a CFM station that listens to CFM messages and 
forwards them; it responds to Loopback Messages and Link Trace Messages. 


A MEP is regarded as an inward facing MEP, or an outward facing MEP, depending on the direction where 
the CFM messages are coming from: 


e Inward facing MEP (or Up MEP in the IEEE 802.1ag standard). This is a MEP residing In a bridge that 
transmits CFM PDUs towards, and receives them from, the direction of the Bridge Relay Entity. 


e Outward facing MEP (or Down MEP in the IEEE 802.1ag standard). This is a MEP residing in a bridge 
that receives CFM PDUs from, and transmits them towards the direction of the LAN. 


This is illustrated in the following figure: 


Vv 
> > 
Inward facing Outward facing 
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3.1 


5 





MEG levels 


One link between two MEPs is a ME or Maintenance Entity. 
MEG levels are used to distinguish between OAM frames belonging to different nested MEs. 


All MEs exist in the same administrative domain and have the same MEG level; MEG stands for 
Maintenance Entity Group. Each MEG level has its own ID, which varies between 0 and 7. 


All MEs belong to the same VLAN, i.e. each VLAN has its own levels. 


The exact usage of the MEG levels is negotiated between the different parties involved in the Ethernet 
network. For instance, the 8 MEG levels could be divided between the three defined service domains 
described above as follows: 


o Level 7, 6 and 5 belong to the customer domain. 
o Level 4 and 3 belong to the provider domain. 
o Level 2, 1 and 0 belong to the operator domain. 


All this is illustrated in the following figure: 


(S-)VLAN X v=1MEP (S-)VLAN Y 


Customer 
domain 


Provider 
domain 


Operator 
domain 
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3.1.6 Messages 
The quality of a link is monitored by sending certain types of message, according to the IEEE 802.1ag 
standard. These are: 
e Continuity Check Message (CCM): 
o ACCM can be enabled or disabled. 
o ACCMisa multicast message from a MEP. 
o It is received by MEPs and MIPs; MIPs forward the CCM without examining it. 
o It is catalogued and stopped by receiving MEPs; they cannot go beyond the receiving MEP. 
e Loopback Message and Reply (LBM, LBR) 


o This is a unicast message from a MEP to a MEP or MIP, which replies with a unicast message 
to the originating MEP. 


o ALoopback message is stopped at the destination MAC address. 
e Linktrace Message and Reply (LTM, LTR): 
o This is anext-hop multicast message from a MEP to next MEP or MIP along the route. 


o The receiver both replies with a unicast message to the original MEP and sends the Linktrace 
message to next MEP/MIP. 


o ALinktrace message is stopped at the destination MAC address. 
e Alarm Indication (AIS) 
o This is a multicast message from a MEP or MIP when the link in a certain inferior domain fails 
(it is sent in the opposite direction). 
3.1.6.1 | Continuity Check Messages (CCM) 
MEPs periodically exchange Continuity Check OAM messages to detect loss of continuity or incorrect 
network connections. 
A CC message is a multicast message to each MEP in a MA/MEG at each administrative level. 


CC Messages can also be used to perform two way dual-ended Frame Loss measurements. A Flags field 
is incorporated in the CC Messages. This field includes a bit for Remote Defect Indication (RDI) and an 
indication of the period at which CC Messages are transmitted. 


What can CC detect? 

e Service cross-connect (Service ID mismatch). 

e Duplicate MEP configurations (MEP ID match). 

e Missing or unexpected MEPs (Optional check: unexpected MEPs may not be an error). 
e Forwarding loops (duplicate Transaction IDs). 

e Data loss (missing Transaction IDs or Lifetime expiration). 

e Data corruption (bad optional data checksum). 

e Bad frame size configuration (CC with optional data fails to reach other MEPs). 

What is the output from CC? 


e Each MEP has a MIB that lists the configured list of other MEPs (if any) and the catalogue of active 
MEPs received from CCs. 


e Failures are normally reported to the network manager via SNMP traps. 
3.1.6.2 | Loopback Message (LBM/LBR) 


MEPs send loopback messages to verify connectivity with another MEP or MIP for a specific MA/MEG. 
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Loopback is a ping-like request/reply function. A MEP sends a loopback request message (LBM) to 
another MEP or MIP, which generates a subsequent loopback reply (LBR). LBMs and LBRs are used to 
verify bidirectional connectivity. They are typically initiated by operator command. 


A MEP is provisioned to send LBMs periodically. Loopback is a unicast OAM message. 

What is the purpose of Loopback? 

e Loopback follows the unicast data path, not the multicast path. 

e Sending Loopback to successive MIPs can determine the location of a fault. 

e Sending a high volume of Loopback Messages can test the bandwidth and reliability of a service. 


A MEP is also provisioned to send multicast loopback messages. All peer MEPs that receive this message 
will generate a loopback reply. MIPs are transparent with regard to multicast loopbacks. The purpose of 
multicast loopback is to get a list of all peer MEPs with whom bidirectional connectivity is detected. 


3.1.6.3  Linktrace Message (LTMW/LTR) 


MEPs multicast Linktrace Messages on a particular MA/MEG to identify adjacency relationships with 
remote MEPs and MIPs at the same administrative level. 


LTM can also be used for fault isolation. The message body of a LTM includes a destination MAC address 
of a target MEP that terminates the Linktrace. When a MIP or MEP receives a LTM, it generates a unicast 
LTR (Link Trace Reply) to the initiating MEP. It also forwards the LTM to the target MEP destination MAC 
address. 


An LTM effectively traces the path to the target MEP. 
3.1.6.4 Alarm Indication Signal (AIS) 


The Ethernet Alarm Indication Signal (AIS) is used to suppress alarms at the client layer following 
detection of defect conditions at the server layer. The reasoning here is that the defect for which the AIS 
message is sent, is detected on another level and is handled there, so that management systems are not 
overloaded by duplicate alarms for the same fault. 


AIS messages can be transmitted in following cases: 
e Whena CCM defect is detected. 

e Incase of a Loss of Continuity (LOC). 

e When an AIS message is received. 

e Incase of link problems (ex: link is down). 


For a point-to-point ETH connection at the client layer, a MEP can determine that the server layer entity 
providing connectivity to its peer MEP has encountered defect condition upon receiving a frame with ETH- 
AlS information. For multipoint ETH connectivity at the client layer, a MEP cannot determine the 
associated subset of its peer MEPs for which it should suppress alarms since the received ETH-AIS 
information does not contain that information. Therefore, upon reception of a frame with ETH-AIS 
information, the MEP will suppress alarms for all peer MEPs whether there is still connectivity or not. 


Upon detecting a defect condition the MEP can immediately start transmitting periodic frames with ETH- 
AlS information at a configured client MEG Level. A MEP continues to transmit periodic frames with ETH- 
AlS information until the defect condition is removed. Upon receiving a frame with ETH-AIS information 
from its server layer, a client layer MEP detects AIS condition and suppresses alarms associated with all 
its peer MEPs. A MEP resumes alarm generation upon detecting defect conditions once AIS condition is 
cleared. 


When a MEP detects a connectivity defect, it will send multicast AIS frames opposite from the MEP's 
facing direction, and at the specified higher MEG level. So, the MEPs that receive the AIS messages are 
located on a higher level than the MEP that has sent them, and these are not the peer MEPs at the same 
level. These MEPs may in turn send other AIS messages at even higher levels. 


By using AlS messages MEPs are rapidly notified of defects in the middle of the domain, faster than 
having to wait for example for a loss of continuity, when a number of CCMs were not received. 


Remark that the AIS feature is only defined in the ITU-T Y.1731 standard and not in IEEE 802.1ag. 
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3.1.6.5 | Remote Defect Indication (RDI) 


A MEP sends a Remote Defect Indication, or RDI, to notify peer MEP(s) that it has detected a defect 
condition. RDI is mainly employed in networks where only portions of it are directly managed. 


The RDI is one bit of the CCM frames, so RDI can only be sent by a MEP in case the transmission of CC 
messages is enabled on that MEP. As a consequence, RDI messages are sent in the same direction as all 
other CFM messages that are sent by the MEP. 


In case of a point-to-point connectivity, when a MEP receives an RDI, it is evident that its peer MEP has a 
defect condition. In multipoint setups however, a MEP receiving a Remote Defect Indication cannot 
determine the source of the defect(s), since it only knows the sender of the RDI frame. MEPs that transmit 
RDI frames do not always know the source of the defect(s) themselves. 


Remark that the RDI feature is only defined in the ITU-T Y.1731 standard and not in IEEE 802.1ag. 
3.1.6.6 | Frame Delay (DMM/DMR) 


Frame Delay (FD) is specified as round trip delay for a frame, where FD is defined as the time elapsed 
since the start of transmission of the first bit of the frame (DMM or Delay Measurement Message) by a 
source node until the reception of the last bit of the loop backed frame (DMR or Delay Measurement 
Reply) by the same source node, when the loopback is performed at the frame’s destination node. 


3.1.6.7 Ethernet Fault Detection and Propagation (EFD) 


Ethernet interfaces do not have a line protocol that is independent from the status of the physical layer. 
From the moment the Ethernet interface is physically up, data can pass. 


CFM could be considered as a line protocol for controlling Ethernet interfaces. In case of a CFM defect, 
like Loss of Continuity, the interface can be disabled. This feature is called Ethernet Fault Detection and 
Propagation, or EFD, and it is only available for inward facing MEPs. When the interface, to which the 
inward facing MEP belongs, is disabled, the MEP stays up and CFM frames are still flowing. When the 
CFM defect disappears, EFD will bring the MEP's interface up again. 
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3.2 


3.2.1 


3.2.2 


3:2:3 


CFM CONFIGURATION 


Global configuration 


To globally enable CFM (Connectivity Fault Management) processing on an OneOS-based router, use the 
following command in global configuration mode: 


CLI(configure)> [no] ethernet cfm enable 


To disable CFM processing, use the no form of the command. 


Continuity Check 


To enable transmission of Continuity Check Messages (CCMs) on a certain MEG level and VLAN ID use 
the following command in global configuration mode: 


CLI (configure)> [no] ethernet cfm cc enable level <lvl> vlan <vid> 
lv1 is the MEG level (0 - 7) and vid is the VLAN ID (0 - 4094) on which the CCMs will be sent. A VLAN 
ID of O means untagged CCM frames. 


By default, the time interval between the sending of two CCMs by the same MEP is 1 second and a remote 
MEP will be declared down after 3 messages without response. 


Use the no form of the command to disable the CCM transmission again. 


To modify the default values of CCMs sending (see above) on a MEG level and VLAN ID, use the following 
command in global configuration mode: 


CLI (configure)> [no] ethernet cfm cc level <lvl> vlan <vid> 
[interval <time>] [loss-threshold <msgs>] 
time is the time interval between the sending of two CCMs by the same MEP. The possibilities are: 
100ms, 1s, 10s, 1m and 10m. Default value: 1s. 


msgs is the number (2 - 255) of CCMs that should be missed before a remote maintenance endpoint 
(MEP) is down. Default value: 3. 


Use the no form of the command to re-apply the default values. 


Domain 


To define a CFM maintenance domain at a particular maintenance level and enter in Ethernet CFM 
configuration mode, use the following command in global configuration mode: 


CLI(configure)> [no] ethernet cfm domain <domain-name> level <lvl> 


CLI (config-—ecfm) > 


domain-—name is a String of 43 characters at most and is used as the Maintenance Domain Name in the 
CCM messages. This is an identifier, unique over the domain for which CFM is to protect against 
accidental concatenation of service instances, of a particular Maintenance Domain. 


lv1 is the MEG level (0 - 7). 


When in Ethernet CFM configuration mode, parameters specific to a maintenance domain can be set. 
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Use the no form of the command to remove the domain and all its under-laying properties. 


3.2.3.1 Service 


To set a universally unique ID for a customer service instance within a maintenance domain, use the 
following command in Ethernet CFM configuration mode: 


CLI (config-ecfm)> [no] service <ma-name> vlan <vid> 
ma-name Is a String of 43 characters at most and is used as the Short Maintenance Association Name in 
the CCM messages. It must be unique within its maintenance domain. 
vid is the VLAN ID (0 - 4094) on which the service is defined. A VLAN ID of 0 means untagged. 


Use the no form of the command to remove the service. 


3.2.3.2 Crosscheck 


To enable crosschecking between the list of configured MEPs of a domain and MEPs learned through 
CCMs, use the following command in Ethernet CFM configuration mode: 


CLI (config-ecfm)> [no] mep crosscheck mpid <mpid> vlan <vid> 
[mac <macaddress>] 
mpid is the MEP ID (0 - 8191) of the remote MEP. 
vid is the VLAN ID (0 - 4094) on which the remote MEP is located. A VLAN ID of 0 means untagged. 


macaddress is the expected MAC address of the remote MEP (optional). 


Use the no form of the command to remove the crosscheck configuration. 


To configure the amount of time (in seconds) that an OneOS-based router waits, after start-up, for the 
remote MEPs to come up before the crosscheck operation is started, use the following command in global 
configuration mode: 


CLI(configure)> [no] ethernet cfm mep crosscheck start-delay <secs> 


The default value for the start-delay interval secs is 30 seconds. 


Use the no form of the command to return back to the default value. 
3.2.3.3 Frame Delay 


Frame Delay is specified as round trip delay for a frame, where Frame Delay is defined as the time 
elapsed since the start of transmission of the first bit of the frame by a source node until the reception of 
the last bit of the loop backed frame by the same source node, when the loopback is performed at the 
frame’s destination node. 


A Frame Delay test towards a remote MEP can be started with the following command in Ethernet CFM 
configuration mode: 


CLI(config-ecfm)> [no] mep framedelay { mac <macaddress> 
| mpid <mpid> } vlan <vid> 
Use this command to set the destination of the Delay Measurement Messages (DMMs). The destination 
can either be configured by using the MEP ID mpid or via a MAC Address macaddress. 


vid Is the VLAN ID (0 - 4094) on which the DMMs will be sent. A VLAN ID of 0 means untagged DMM 
frames. 
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DMM frames are sent every second. 


Note that Frame Delay is only supported in ITU-T Y.1731 and hybrid mode. For IEEE 802.1ag MEPs this 
command will be ignored. 


Use the no form of the command to remove the Frame Delay configuration. 


3.2.3.4 Frame Loss 


Frame Loss is the number of data frames that are dropped during transport from one MEP to another. 


A Frame Loss test towards a remote MEP can be started with the following command in Ethernet CFM 
configuration mode: 


CLI (config-ecfm)> [no] mep frameloss { mac <macaddress> 
| mpid <mpid> } vlan <vid> 
Use this command to set the destination of the Loss Measurement Messages (LMMs). The destination can 
either be configured by using the MEP ID mpid or via a MAC Address macaddress. 


vid is the VLAN ID (0 - 4094) on which the LMMs will be sent. A VLAN ID of 0 means untagged LMM 
frames. 


LMM frames are sent every second. 


Note that Frame Loss is only supported in the ITU-T Y.1731 and hybrid mode. For IEEE 802.1ag MEPs 
this command will be ignored. 


Use the no form of the command to remove the Frame Loss configuration. 


3.2.3.5 Alarm Indication Signal (AIS) 


3.2.3.6 


Use the following command in Ethernet CFM configuration mode to enable and configure AlS support on a 
MEP: 


CLI (config-ecfm)> [no] mep ais period <period> vlan <vid> cos <cos> 
level <lvl> 


period Is the AIS transmission period. The possibilities are: 100ms, 1s, 10s, 1m, 10m. 


vid Is the VLAN ID (0 - 4094) on which the AIS frames will be sent. A VLAN ID of 0 means untagged AIS 
frames. 


cos specifies the Class of Service of the VLAN tagged AIS messages. 


lv1 Is the client MEG level (0 — 7). 

Use the no form of the command to remove the Alarm Indication Signal configuration. 
Exit 

To exit the Ethernet CFM (domain) configuration mode: 


CLI (config-ecfm)> exit 
CLI (configure) > 
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3.2.4 MEP and MIP 


Use the following command in interface configuration mode to configure a Maintenance End Point (MEP) 
on an Ethernet interface: 


CLI(config-if)> [no] ethernet cfm mep level <lvl> [inward | outward] 
mpid <mpid> vlan <vid> [standard <std>] 


Note: in V4.2R5E7 software release only FastEthernet and EFM interfaces are supported. 


1lv1 is the MEG level (0 - 7) on which the MEP is defined. A MEP can be configured inward or outward on 
the interface. The default is inward facing. 


mpid is the MEP ID (0 - 8191). 

vid Is the VLAN ID (0 - 4094) on which the MEP is located. A VLAN ID of 0 means untagged. 
std specifies the standard used by the MEP. Possible values are: 

e yl1731, to set the MEP in ITU-T Y.1731 mode 

e dotiag, to set the MEP in IEEE 802.1ag mode 


e hybrid, to set the MEP in IEEE 802.1ag mode, including the delay and loss functionality of the 
Y.1731 standard. This is the default standard setting. 


Note: a MEP configured on an interface which is not a member of a bridge group stays deactivated until 
the interface is added to a bridge group. 


Use following command in interface configuration mode to configure a Maintenance Intermediate Point 
(MIP) on an Ethernet interface: 


CLI(config-if)> [no] ethernet cfm mip level <lvl> vlan <vid> 
[standard <std>] 


Note: in V4.2R5E7 software release only FastEthernet and EFM interfaces are supported. 
1v1 is the MEG level (0 - 7) on which the MIP is defined. 
vid is the VLAN ID (0 - 4094) on which the MIP is located. A VLAN ID of 0 means untagged. 


std specifies the standard used by the MIP (refer to MEP definition above). 


Note: a MIP configured on an interface which is not a member of a bridge group stays deactivated until the 
interface is added to a bridge group. 


3.2.5 Tests 
3.2.5.1 Traceroute Ethernet 


Use the following command in global mode to start a Linktrace (traceroute Ethernet) test to a MEP or MIP 
at a destination MAC address: 


CLI> traceroute ethernet <macaddress> level <lvl> vlan <vid> 


macaddress is the Ethernet address of the destination Managed Point (MP). 
1v1 Is the MEG level (0 - 7) on which the destination MP is defined. 
vid Is the VLAN ID (0 - 4094) on which the destination MP is located. A VLAN id of 0 means untagged. 
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A LMM frame is sent to the destination MP. The Time-To-Live (TTL) is 255 and the per-hop timeout is 10 
seconds. 


The result is a table with following information: 


ttl, relayAction, ingressAction, ingressMacAddress, egressAction, egressMacAddress 
ttl is the Time-To-Live of the forwarded Linktrace Message when the LTR was sent. 


Possible values for relayAction are: 


e xrlyHit: when a destination MEP or MIP receives a Linktrace message, it sends back an rlyHit 
message to the Linktrace initiator. 


e rlyFdb: when a MIP receives a Linktrace message, and forwards it, it sends back an rlyFdb 
message to the Linktrace initiator. 


ingressAction shows how normal data frames are handled by the receiver that also receives the 
Linktrace Messages. Currently, the only possible value is ingOk. 


ingressMacAddress shows the Ethernet address of the receiver of Linktrace Messages. 


egressAction shows how normal data frames are handled by the receiver that also forwards the 
Linktrace Messages. Currently, the only possible value is egrok. This field is not always present in the 
Linktrace Reply. 


egressMacAddress shows the Ethernet address used by the receiver to forward the Linktrace 
Messages. This field is not always present in the Linktrace Reply. 


The traceroute Ethernet test can be stopped with the ESC key. 


3.2.5.2 Ping Ethernet 


Use the following command in global mode to start a Loopback (ping Ethernet) test to a MEP or MIP ata 
destination MAC address or in multicast mode: 


CLI> ping ethernet { <macaddress> | multicast } level <lvl> vlan <vid> 
[length <length>] 


macaddress is the Ethernet address of the destination Managed Point (MP). 
1v1 is the MEG level (0 - 7) on which the destination MP is defined. 
vid Is the VLAN ID (0 - 4094) on which the destination MP is located. A VLAN ID of 0 means untagged. 


length Is optional; it is the length in bytes of the TLV data carried by the loopback. It can range from 0 to 
1500 bytes; if unspecified it is 0. 


This command is used to test connectivity between the source MEP and a remote MP. 


Five LBM frames of size 64 bytes are then sent to the destination MP. The timeout per response is 
5 seconds. 


The ping Ethernet test can be stopped with the ESC key. 
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3.3 CFM STATISTICS AND DEBUG 


3.3.1 Local maintenance-points 


The get an overview of the local maintenance points, i.e. the configured MEPs and MIPs on the device, 
use the following command in global mode: 


CLI> show ethernet cfm maintenance-points local 


The following information is shown: 


Type, MPID, Level, Vlan, Mac Address, Port, Direction, CC-Status, Domain, Service 


CC-Status can have following values: 
e Enabled, when a matching ethernet cfm cc enable configuration was found. 
e Disabled, when no matching ethernet cfm cc enable configuration was found. 


e Inactive, when the line protocol on the interface is down. 


3.3.2 Remote maintenance-points 


For an overview of the remote maintenance endpoints (MEPs) statically configured on the device, use the 
following command in global mode: 


CLI> show ethernet cfm maintenance-points remote 


The following information is shown: 


MPID, Level, Vlan, Mac Address, IngressPort, PortState, Age(sec), Domain, Service 


Age (sec) is the time interval since the last reception of a valid CCM frame. 


3.3.3 Remote crosscheck 


To display the crosscheck status of the remote maintenance endpoints (MEPs) statically configured on the 
device, use the following command in global mode: 


CLI> show ethernet cfm maintenance-points remote crosscheck 


The following information is shown: 


MPID, Level, Vlan, Remote Mac Address, Mep-Up 


Mep-Up can have three possible values: 
e Yes, when there is no Loss of Continuity for the remote MEP 
e No, when there is a Loss of Continuity for the remote MEP 


e Start-—Delay, when the crosscheck start-delay has not elapsed yet since the start-up of the device. 


3.3.4 CFM frame statistics 


To display the performance parameters of all Ethernet CFM frames sent and received by the MEPs and 
MIPs on the device; use the following command in global mode: 
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CLI> show ethernet cfm statistics 


Following MEP statistics are shown: 
e Continuity Check: 

tx, rxValid, rxRdi, rxSeqError, rxBadMegLevel, rxMismerge, rxUnexpPeriod, rxUnexpMep 
rxValid is the total number of CC messages that were received correctly. 
rxRdi is the total number of CC messages with the Remote Defect Indication (RDI) set. 
rxSeqError is the total number of received CC messages that were out of sequence. 
rxBadMegLevel Is the total number of received CC messages of which the MEG Level was not correct. 


rxMismerge is the total number of received CC messages of which the MEG Level was correct, but the 
MEG ID was wrong. 


rxUnexpPeriod is the total number of received CC messages of which the CCM period is not the same 
as on the MEP on which it is received. 


rxUnexpMep Is the total number of received CC messages of which the MEG Level was correct, the MEG 
ID was correct, but the MEP ID was wrong. 


e Loopback: 


txLbm, rxLbm, txLbr, rxLbr, rxLbrOutOfSeq, rxLbrTooLate 


rxLbrOutOfSeq is the total number of received loopback replies that were out of sequence. Out of 
sequence means that the order in which the loopback frames are received, is different from the order in 
which they were sent. 


rxLbrTooLate Is the total number of received loopback replies that were delayed for more than 
5 seconds. 


e __Linktrace: 


txLtm, rxbLtm, txLtr, rxLtr, rxbLtrTooLate 


rxLtrTooLate Is the total number of received Linktrace replies that were delayed for more than 
10 seconds. 


e Frame Delay: 


txDmm, rxDmm, txDmr, rxDmr 


e Frame Loss: 


txLmm, rxLmm, txLmr, rxbLmr 


e Discards 


Following MIP statistics are shown: 
e Loopback: 


rxLbm, txLbr 


e _Linktrace: 


rxLtm, txLtm, txLtr 


e Discards 


An OAM frame may be discarded (Discards) by a MEP or a MIP when: 

e Receiving an out of sequence Loopback Reply. 

e Receiving a late Loopback Reply. 

e Incase of a Linktrace Message, the destination MAC address is not present yet in the bridge cache. 


e The TTL of a Linktrace Message is 0. 
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3.3.5 


txDmm, 


3.3.6 


3.3.7 


e Incase of a Linktrace Reply, no buffer can be allocated for the reply. 
e AMEP receives an LTM frame which was actually sent to another MEP. 


e A late Link Trace Reply. 


All statistics can be reset with the command: 


CLI> clear ethernet cfm statistics 


Frame Delay statistics 


To get the statistics of all Frame Delay tests configured on the device, use the following command in global 
mode: 


CLI> show ethernet cfm statistics framedelay 


Following information is shown: 


rxDmr, loss, lossDelay, minDelay, avgDelay, maxDelay, maxJitterMin, avgJitter, maxJitterPlus 
loss Is the current loss of the link within the loss window of 10 samples. 


lossDelay Is the current loss of the link within the delay window. 


minDelay, avgDelay and maxDelay are the minimum, average and maximum delay that was measured 
in the link, all in seconds. 


maxJitterMin Is the maximum negative jitter deviation that was measured on the link. 


avgJitter is the average jitter and maxJitterPlus Is the maximum measured positive jitter deviation, 
all in seconds. 


Frame Loss statistics 


To get the statistics of all Frame Loss tests configured on the device, use the following command in global 
mode: 


CLI> show ethernet cfm statistics frameloss 


Following information is shown: 


txLmm, rxLmr, loss, nearEndDrops, farEndDrops 


loss Is the number of lost LMR frames. 


nearEndDrops Is the total number of data frames dropped on the interface on which the source MEP is 
defined. In other words: it is the number of data frames sent by the destination interface, minus the number 
of data frames received by the local interface. 


farEndDrops Is the total number of data frame drops on the destination MEP. In other words: it is the 
number of data frames sent by the local interface, minus the number of data frames received by the 
destination interface. 


Traceroute cache 


To show the results of the last traceroute Ethernet test, use the following command in global mode: 


CLI> show ethernet cfm traceroute-cache 
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3.3.8 Errors 


For an overview of the last errors (up to 20), use the following command in global mode: 


CLI> show ethernet cfm errors 


Following information per error log entry is shown: 
sysUpTime, source MAC, level, mpid, vlan, domain, service, error 
Possible values for error are: 
e mismerge: when a CC message is received with a correct MEG Level, but with a wrong MEG ID. 


e unexpected MEP: when a CC message is received with a correct MEG Level, a correct MEG ID, but 
with a wrong MEP ID. 


e unexpected level: when a CC message is received of which the MEG Level was not correct. 


e unexpected period: when a CC message is received of which the CCM period is not the same as 
on the MEP. 


e rx ais: when an AlS frame is received 


The error table can be cleared with the following command in global mode: 


CLI> clear ethernet cfm errors 


3.3.9 Debugging 


To enable the debugging of Ethernet CFM message packets, use the following command in global mode: 


CLI> [no] debug ethernet cfm packets 


All received and transmitted Ethernet CFM packets will be dumped on the console. 


To disable the debugging, use the no form of the command. 
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3.4 CFM EXAMPLE 


3.4.1 Setup with Inward and Outward CFM 


The figure below shows a simple setup with 3 devices. The central device (one100D) is the one which will 
be described in more detail. It is connected to the device on the left via an EFM link, and is connected to 
the device on the right via a FastEthernet link. 


ONE100D 
‘ efm 0 


untagged, level 3 : 
MEP 32 \ ee A MEP 31 


vian 1, level 4 
MEP 41 yo —_¥ MEP 42 


MIP 





The central device has an outward facing MEP with MEP ID 31 and an inward facing MEP with MEP ID 41 
defined on the EFM 0 interface. It also has a MIP defined on the FastEthernet 1/0 interface. 


MEP 31 is located on MEG level 3 and is sending and receiving untagged Ethernet CFM frames. 
MEP 41 is located on MEG level 4 and is sending and receiving Ethernet CFM frames on VLAN ID 1. 


Following steps must be made for the configuration: 

e Globally enable Ethernet CFM. 

e Define domains for MEG levels 3 and 4. 

e In these domains define services on the required VLANs (0 and 1). 
e Configure the EFM interface. 


e Activate bridging by declaring a bridge virtual interface (BVI) and attach it to the EFM and 
FastEthernet interfaces. 


e Add the MEPs to the EFM interface 
e Enable CCM transmission on required level and VLAN. 


e Add the crosscheck and test configurations to the domains. 


This is the configuration: 


ethernet cfm enable 
ethernet cfm domain TESTDOMAIN4 level 4 
service TESTMA4 vlan 1 

mep crosscheck mpid 42 vlan 1 
exit 
ethernet cfm domain TESTDOMAIN3 level 3 
service TESTMA3 vlan 0 

mep crosscheck mpid 32 vlan 0 
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mep frameloss mac 00:C0:89:10:A8:CE vlan 0 
mep framedelay mpid 32 vlan 0 
exit 
ethernet cfm cc enable level 4 vlan 1 
ethernet cfm cc enable level 3 vlan 0 
interface FastEthernet 0/0 

pcaddress: 192 2L6G.te2lO 2559.25 9%200.0 
exit 
interface FastEthernet 1/0 

bridge-group 1 

ethernet cfm mip level 4 vlan 1 
exit 
interface Bvi 1 

bridge-group 1 
exit 
controller shdsl 0 

dsl-group 0 

autoconfig 
execute 

exit 
exit 
interface efm 0 

bridge-group 1 

ethernet cfm mep level 3 outward mpid 31 vlan 0 
ethernet cfm mep level 4 inward mpid 41 vlan 1 
dsl-group 0 
exit 


There is no need to configure a VLAN 1 in order to be able to send or receive Ethernet CFM frames on 
MEP 41. 


To get an overview of all locally configured Maintenance Points: 


CLI> show ethernet cfm maintenance-points local 


Type MPID Level Vlan Mac Address Port Direction CC-Status Domain Service 
MEP 31 3 0 00:12:EF:74:30:0C efm 0 Outward Enabled TESTDOMAIN3 TESTMA3 
MEP 41 4 1 00:12:EF:74:30:0C efm 0 Inward Enabled TESTDOMAIN4 TESTMA4 
Type Level Vlan Mac Address Port 

MIP 4 1 00:12:EF:70:30:0C FastEthernet 1/0 


This table shows the two MEPs 31 and 41 on interface EFM 0 and the MIP on interface FastEthernet 1/0. 
Sending of CC Messages is enabled on both MEPs. 


For an overview of the remote MEPs from the crosscheck table: 


CLI> show ethernet cfm maintenance-points remote 


MPID Level Vlan Mac Address IngressPort PortState Age(sec) Domain Service 
32 3 0 00:C0:89:10:A8:CE efm 0 UP 1 TESTDOMAIN3 TESTMA3 
42 4 1 00:C0:89:08:23:B4 efm 0 UP 0 TESTDOMAIN4 TESTMA4 


This command also shows us the MAC address of the remote MEPs, which can be interesting when 
starting tests (see further). The EFM 0 is UP. The Age shows that the last CC Message from MEP 32 was 
received about one second ago, and from MEP 42 less than one second ago. 


To verify if the remote MEPs are UP or DOWN: 


CLI> show ethernet cfm maintenance-points remote crosscheck 


MPID Level Vlan Remote Mac Address Mep-Up 
bs 3 O° -00CO 2739: LOSASG?CE.. Yes 
42 4 1. 00:CO269208:232B4 Yes 


So both MEP 32 and 42 have no Loss of Continuity problem. 
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To get an overview of all Ethernet CFM frame statistics: 


CLI> show ethernet cfm statistics 





Statistics for MEP id 31 on domain TESTDOMAIN3, service TESTMA3, level 3, vlan 0, outward on port efm 0 





Continuity Check: 
4038 tx, 4039 rxValid, O rxRdi, O rxSeqError, 0 rxBadMegLevel 
O rxMismerge, 0 rxUnexpPeriod, 0 rxUnexpMep 
Loopback: 
QO txLbm, O rxLbm, 0 txLbr, O rxLbr, 0 rxLbrOutOfSeq, O rxLbrTooLate 
Linktrace: 
0 txLtm, O rxLtm, O txLtr, O rxLtr, O rxLtrTooLate 
FrameDelay: 
3767 txDmm, O rxDmm, O txDmr, 3767 rxDmr 
FrameLoss: 
3717 txLmm, O rxLmm, O txLmr, 3717 rxLmr 
Discards: 0 frames 





Statistics for MEP id 41 on domain TESTDOMAIN4, service TESTMA4, level 4, vlan 1, inward on port efm 0 





Continuity Check: 
4039 tx, 4038 rxValid, O rxRdi, O rxSeqError, 0 rxBadMegLevel 
O rxMismerge, 0 rxUnexpPeriod, 0 rxUnexpMep 
Loopback: 
OQ txLbm, O rxLbm, O txLbr, O rxLbr, O rxLbrOutOfSeq, O rxLbrTooLate 
Linktrace: 
QO txLtm, O rxLtm, O txLtr, O rxLtr, O rxLtrTooLate 
FrameDelay: 
0 txDmm, O rxDmm, O txDmr, O rxDmr 
FrameLoss: 
0 txLmm, O rxLmm, O txLmr, O rxLmr 
Discards: 0 frames 





Statistics for MIP on domain TESTDOMAIN4, service TESTMA4, level 4, vlan 1, port FastEthernet 1/0 





Loopback: 

0 rxLbm, O txLbr 
Linktrace: 

QO rxLtm, O txLtm, O txLtr 
Discards: 0 frames 


As can be seen MEP 31 and MEP 41 receive valid CCM frames, and MEP31 receives Frame Delay replies 
(rxDmr) and Frame Loss replies (rxLmr). 


Frame Delay statistics can be viewed with the command: 


CLI> show ethernet cfm statistics framedelay 


FrameDelay statistics for destination MEP id 32 on domain TESTDOMAIN3, service TESTMA3, level 3, vlan 0 





txDmm rxDmr loss lossDelay minDelay avgDelay maxDelay maxJitterMin avgJitter maxJitterPlus 





3890 3890 0 0 0.005 0.005 0.006 -0.001 0.000 0.001 


There is a round-trip delay of about 5 ms over the EFM link. There is almost no jitter because no other data 
is being sent over the link. 


And Frame Loss statistics can be viewed with the command: 


CLI> show ethernet cfm statistics frameloss 


FrameLoss statistics for destination MAC 00:C0:89:10:A8:CE on domain TESTDOMAIN3, service TESTMA3, level 3, vlan 0 





txLmm rxLmr loss nearEndDrops farEndDrops 





3906 3906 0 0 0 


To send Ethernet CFM loopback frames to destination MEP 32: 
CLI> ping ethernet 00:C0:89:10:A8:CE level 3 vlan 0 


Type escape sequence to abort. 
Sending 5 64-byte Ethernet CFM loopback messages to 00:C0:89:10:A8:CE, timeout is 5 seconds: 








Success rate is 100 percent (5/5), round-trip min/avg/max = 5.6/5.8/5.9 ms 


An example of an Ethernet CFM Link Trace towards destination MEP 42: 
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CLI> traceroute ethernet 00:C0:89:08:23:B4 level 4 vlan 1 


Type escape sequence to abort. TTL 255. Per-hop timeout is 
Tracing the route to 00:C0:89:08:23:B4 on domain TESTDOMATI 
Traceroute sent via efm 0 





10 seconds 
N4, service TESTMA4, 


level 4, vlan 1 








B = Intermediary Bridge 
! = Target Destination 

ttl relayAction ingressAction ingressMacAddress egressAction egressMacAddress 
B 254 rlyFdb ingOk 00:12:EF:70:30:0C egrOk 00:12:EF:70:30:0C 
! 253 rlyHit ingOk 00:C0:89:08:23:B4 notPresent 00:00:00:00:00:00 


There are two Link Trace Replies: the first one by the MIP on FastEthernet 1/0 of the central device and 


the second one by the destination MEP. 


Here is an example of an error log: 


CLI> show ethernet cfm errors 







































































sysUpTime source MAC level mpid vlan domain service error 
O00d17h38m1l1s 00:C0:89:10:A8:CE 3 32 0 TESTDOMAIN3 TESTMA mismerge 
O00d17h38m12s 00:C0:89:08:23:B4 2 42 1 TESTDOMAIN4 TESTMA4 unexpected level 
O000d17h38m12s 00:C0:89:10:A8:CE 3 32 0 TESTDOMAIN3 TESTMA mismerge 
O00d17h38m13s 00:C0:89:08:23:B4 2 42 1 TESTDOMAIN4 TESTMA4 unexpected level 
000d17h38m13s 00:C0:89:10:A8:CE 3 32 0 TESTDOMAIN3 TESTMA mismerge 
O00d17h38m14s 00:C0:89:08:23:B4 2 42 1 TESTDOMAIN4 TESTMA4 unexpected level 
000d17h38m14s 00:C0:89:10:A8:CE 3 32 0 TESTDOMAIN3 TESTMA mismerge 
O00d17h38m15s 00:C0:89:08:23:B4 2 42 1 TESTDOMAIN4 TESTMA4 unexpected level 
O000d17h38m15s 00:C0:89:10:A8:CE 3 32 0 TESTDOMAIN3 TESTMA mismerge 
O00d17h38m16s 00:C0:89:08:23:B4 2 42 1 TESTDOMAIN4 TESTMA4 unexpected level 
O00d17h38m16s 00:C0:89:10:A8:CE 3 32 0 TESTDOMAIN3 TESTMA mismerge 
O00d17h38m17s 00:C0:89:08:23:B4 2 42 1 TESTDOMAIN4 TESTMA4 unexpected level 
O000d17h38m17s 00:C0:89:10:A8:CE 3 32 0 TESTDOMAIN3 TESTMA mismerge 
O00d17h38m18s 00:C0:89:08:23:B4 2 42 1 TESTDOMAIN4 TESTMA4 unexpected level 
O000d17h38m18s 00:C0:89:10:A8:CE 3 32 0 TESTDOMAIN3 TESTMA mismerge 
O000d17h38m19s 00:C0:89:08:23:B4 2 42 1 TESTDOMAIN4 TESTMA4 unexpected level 
000d17h38m19s 00:C0:89:10:A8:CE 3 32 0 TESTDOMAIN3 TESTMA mismerge 
O00d17h38m20s 00:C0:89:08:23:B4 2 42 1 TESTDOMAIN4 TESTMA4 unexpected level 


From this error log table it is clear that the name of the service on MEP 32 Is incorrect (TESTMA must be 
TESTMAS) and that MEP 42 is located on a wrong MEG level (2 must be 4). These two changes were 
made to show the output of the preceding show commands. 


For debugging purposes it can be interesting to see all the Ethernet CFM frames that were sent and 
received by a device (remote MEPs were configured correctly again): 


CLI> debug ethernet cfm packets 


22:33: 
1233 
223: 
223: 
223: 
223% 
223: 
on 
223: 
2238 
2233 
223: 
223: 
223: 
7235: 
2235 
on 
223% 
2235 
223: 
223: 
223: 
2238 
223: 
123° 
on 
723:: 
223% 
223: 
223: 
223: 
223: 


08. 
08. 
08. 
08. 
08. 


680 
686 
733 
980 
981 
09.180 
09.187 
efm 0 
09.287 
09.680 
09.686 
09.733 
09.980 
.981 
.180 
.186 


tx 
rx 
rx 
tx 
tx 
tx 
rx 


TXFCE 
TXFCE 
802.1lag, 


0, level 3, 
0, RxFCE£ 
mepid 42, 


vid 0, on efm 0 

0, TxFCb 0, level 
mdName TESTDOMAIN4G, 
802.lag, mepid 31, mdName TESTDOMAIN3, 
802.lag, mepid 41, mdName TESTDOMAIN4, 
TxTimeStampf = 63845s180000000ns, 
TxTimeStampf 63845s180000000ns, 


ucast = 
ucast 
mcast 
mcast 
mcast 
ucast 


ucast 


LMM, 
LMR, 
CCM, 
CCM, 
CCM, 
DMM, 
DMR, 


mcast 
ucast 
ucast 
mcast 
mcast 
mcast 
ucast 
ucast 


rx 
tx 
rx 
rx 
tx 
tx 
tx 
rx 


CCM, 
LMM, 
LMR, 
CCM, 
CCM, 
CCM, 
DMM, 
DMR, 


802.1lag, 
TXFCE 
TXFCE 
802.1lag, 


mepid 32, 
0, level 3, 
0, RxFCE£ 

mepid 42, 


mdName TESTDOMAIN3, 
vid 0, on efm 0 
0, TxFCb 0, level 
mdName TESTDOMAIN4, 
802.lag, mepid 31, mdName TESTDOMAIN3, 
802.lag, mepid 41, mdName TESTDOMAIN4, 
TxTimeStampf = 63846s180000000ns, 
TxTimeStampf 63846s180000000ns, 


.287 
. 680 
.686 
5133 
. 980 
0.981 
1.180 
1.186 
fm 0 

.287 
. 680 
.686 
«133 
.980 
.981 


mcast 
ucast 
ucast 
mcast 
mcast 
mcast 
ucast 
ucast 


rx 
tx 
rx 
rx 
tx 
tx 
tx 
rx 


CCM, 
LMM, 
LMR, 
CCM, 
CCM, 
CCM, 
DMM, 
DMR, 


802.1ag, 
TxFC£ = 0, 
TxFC£ = 0, 
802.lag, mepid 42, 


mepid 32, mdName TESTDOMAIN3, 
level 3, vid 0, on efm 0 

RxFC£ = 0, TxFCb 0, level 
mdName TESTDOMAIN4, 
802.lag, mepid 31, mdName TESTDOMAIN3, 
802.lag, mepid 41, mdName TESTDOMAIN4, 
TxTimeStampf = 63847s180000000ns, 
TxTimeStampf 63847s180000000ns, 


(I cee aoa 


mcast 
ucast 
ucast 
mcast 
mcast 
mcast 


rx 
tx 
rx 
rx 
tx 
tx 


CCM, 
LMM, 
LMR, 
CCM, 
CCM, 
CCM, 


802.lag, mepid 32, 
TxFCf = 0, level 3, 
TXFCE 0, RxFCE£ 
802.lag, mepid 42, 
802.lag, mepid 31, 


802.lag, mepid 41, 


mdName TESTDOMAIN3, 
vid 0, on efm 0 

0, TxFCb 0, level 

mdName TESTDOMAIN4G, 

mdName TESTDOMAIN3, 

mdName TESTDOMAIN4G, 








RPrRrRerR eR 
RPrRrRrR eR 


level 3, 
RxTimeStampf 


level 3, 
RxTimeStampf 


level 3, 
RxTimeStampf 


3, vid 0, on efm 0 
shortMaName TESTMA4, 
shortMaName TESTMA3, 
shortMaName TESTMA4, 
vid 0, on efm 0 
OsOns, 


shortMaName TESTMA3, 


3, vid 0, on efm 0 
shortMaName TESTMA4, 
shortMaName TESTMA3, 
shortMaName TESTMA4, 
vid 0, on efm 0 
OsOns, 


shortMaName TESTMA3, 


3, vid 0, on efm 0 
shortMaName TESTMA4, 
shortMaName TESTMA3, 
shortMaName TESTMA4, 
vid 0, on efm 0 
OsOns, 


shortMaName TESTMA3, 


3, vid 0, on efm 0 

shortMaName TESTMA4, 
shortMaName TESTMA3, 
shortMaName TESTMA4, 
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TxTimeStampb 


TxTimeStampb 


TxTimeStampb 


level 4, 
level 3, 
level 4, 


vid 1, 
vid 0, 
vid 1, 


OsOn 


level 3, vid 0, 


level 4, 
level 3, 
level 4, 


vid 1, 
vid 0, 
vid. 1, 


OsOn 


level 3, vid 0, 


level 4, 
level 3, 
level 4, 


vid 1, 
vid 0O, 
vid 1, 


OsOn 


level 3, vid 0, 


level 4, 
level 3, 
level 4, 


vid: iL, 
vid 0O, 
vid 1, 


on 


on 


on 


S, 


on 


on 


on 


on 


S, 


on 


S, 


on 


on 


on 
on 


efm 0 
efm 0 
efm 0 
level 3, 
efm 0 
efm 0 
efm 0 
efm 0 
level 3, 
efm 0 
efm 0 
efm 0 
efm 0 
level 3, 
efm 0 
efm 0 


efm 0 
efm 0 


vid 


vid 


vid 


Page 3.4-35 of 89 


ONEOS V4.3R4 /V5.1R3 BRIDGING & LAN USER GUIDE (EDITION 10) 


3.4.2 Setup with Ethernet Fault Detection (EFD) 


An OneAccess router is used for a layer-2 service for Ethernet Private Line (EPL) service over EFM. It is 
desired that the LAN interface (UNI) is disabled when no CCM are received through EFM. To release such 
scenario, CFM must be activated on the OneAccess router: the router will be a MEP where Ethernet OAM 
will be sent inward from LAN to the telecom operator network. 






Mi efm 0 (NNI) gigabitethernet 0/0 (UNI) 


vian 1, level 4 


The following is expected: 


e The inward-facing MEP forms a managed link with its peer in the network. If the CC Messages are not 
arriving anymore at a MEP for a certain time (3.5s by default), because the service (can be VLAN link 
on EFM interface) has dropped, the MEP enters a LOC (Loss of Continuity) defect condition. The EFD 
feature is expected to bring down the link protocol of the UNI. CCM frames are still generated because 
it is an inward-facing MEP. As soon as the NNI (WAN) link is restored, the CCM mechanism brings 
the MAC layer up again. 


e If the local LAN goes down, the RDI bit in the CCM frames will be set and these CCM frames will 
arrive at the other side, causing an RDI defect situation. If EFD is set there, it is possible to bring down 
the MAC layer of the remote LAN and bring it back up again when the RDI situation is cleared. 


Configuration Example 


ethernet cfm enable 
ethernet cfm domain D4 level 4 
service S4 vlan 1 

mep crosscheck mpid 42 vlan 1 
exit 
ethernet cfm cc enable level 4 vlan 1 
interface GigabitEthernet 0/0 
bridge-group 1 

ethernet cfm mep level 4 inward mpid 41 vlan 1 efd 
exit 
interface Bvi 1 

bridge-group 1 
exit 
controller shdsl 0 

dsl-group 0 

autoconfig 
execute 

exit 
exit 
interface efm 0 

bridge-group 1 

dsl-group 0 
exit 


Explanation 
Ethernet CFM must be enabled globally. 


ethernet cfm enable 
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A domain D4 is defined on MEG level 4 and in that domain a Service S4 is defined on VLAN 1. On this 
VLAN 1, we will verify the connectivity with a peer MEP with MEP ID 42. 


ethernet cfm domain D4 level 4 
service S4 vlan 1 

mep crosscheck mpid 42 vlan 1 
exit 


CCM frames must be enabled for MEG level 4 on VLAN 1. 


ethernet cfm cc enable level 4 vlan 1 


An inward-facing MEP with MEP ID 41 is defined on the GigabitEthernet interface 0/0, VLAN 1. 
ethernet cfm mep level 4 mpid 41 vlan 1 efd 


The EFD feature of the MEP will bring down the MAC layer of the GigabitEthernet interface in case of 
defects (these defects will also result from a WAN or peer LAN connectivity failure). 
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4 


WIRELESS LAN CONFIGURATION 





4. 


1 


INTRODUCTION TO WLAN 


The purpose of this introduction is to give an overview of wireless LAN networks (WLAN) and a tutorial 
about associated protocols. 


The diagram below represents the different elements of the WLAN protocol: 


Link Layer 


Station Packet Encryption, 
Authentication Authentication 


Medium Access Control 


Radio Layer 





Figure 1. 802.11 Protocol Stack 


The 802.11 WLAN standards are made up of standards for data transmission over a radio medium and 
protocols using this medium. Overview of each functional block: 


Radio layer: this layer transports WLAN frames over a wireless medium and converts the bit stream 
into an analog signal. Three standards are available in the OneOS-based routers: 802.11b that 
supports transmit rates up to 11 Mbps, 802.11g that supports transmit rates up to 54 Mbps, and 
802.11n that supports transmit rates up to 130 Mbps. 


Medium Access Control (MAC): the MAC layer determines how packets are formatted and sent over 
the air. Because the air interface is a shared medium, the MAC layer uses a transmission technique 
that selects which WLAN station can emit so that collisions are avoided. 


Station authentication: to avoid any WLAN station to participate to a WLAN network, they must first 
be authenticated. 


Packet encryption/authentication: packets can be encrypted and sent with a digital signature, so 
that packets cannot be read by any intruder, modified or emitted by a user spoofing the identity of 
another user. 


The OneOS-based routers offer a WLAN access point (AP) service (except ONE30/60/200/400 and 
ONECell25). In this topology, WLAN clients (laptops, desktops, PDA...) are member of a BSS (Basic 
Service Set). A BSS is workgroup, where WLAN clients communicate with each other via an Access Point 
(AP). All frames must transit through the AP. The AP sends periodically the beacon frame that contains the 
accepted transmit-rates and serves as synchronization frame for WLAN clients. 


The BSS is identified by a string called SSID (Service Set Identifier). AP and WLAN clients must use the 
same SSID to be able to communicate with each other. We can make the analogy of SSID being a VLAN 
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in the wireless world: it provides a virtual separation of WLAN networks. An AP supporting multiple SSID 
can be viewed as multiple virtual AP. As WLAN clients "see" multiple AP, all protocol elements of an AP 
must be replicated (e.g. an AP with multi-SSID sends one beacon frame per SSID). All OneAccess routers 
support the multi-SSID capability. An application case for multiple SSID is the following: a company 
reserves a SSID for its internal use (access to a Microsoft network and sensitive servers) and another 
SSID for guest access (visitors can connect to the Internet while not having access to enterprise data 
resources). 






SSID for Visitors 


Ly 
OT 










Company’s private 


LAN 
i 





Figure 2. Multi-SSID Application Case 


In order for a WLAN station to attach to the access point, it must go through several steps: 


e Detection of the access point: the WLAN client detects the channel on which the access point is 
emitting. The client also may detect the SSID of the available AP. 


e Association: When a client starts, a probe request is sent out with its SSID. If the SSID corresponds 
to the AP’s SSID, the AP sends a response that contains its capabilities (especially supported rates). 
Then, the client sends an association request to the selected AP and must authenticate. 


e Authentication: the WLAN standards define several authentication types. The client must be 
configured in a compatible mode with the AP. The simplest form is the "Open" authentication where 
actually no authentication takes place. A more advanced authentication scheme is WPA-PSK 
(Wireless Protected Access - Pre-Shared Key), where a pre-shared key enables strong authentication 
and is the basis for deriving an encryption key. The last authentication type is 802.1X (or simply called 
WPA). 


4.1.1 Encryption 


Once authentication has succeeded, the communication between the AP and the WLAN station can be 
encrypted. The encryption depends on the authentication type: 


e Open: no encryption or WEP encryption (Wired Equivalent Privacy). WEP uses a static key that is 40 
or 128 bits long. 


e WPA-PSK: WEP cannot be used, but rather TKIP or AES-CCMP. Both algorithms use a Primary 
Master Key (PMK) derived from authentication as a seed to initiate an encrypted communication 
channel between the AP and the WLAN client. 


e 802.1X: only TKIP or AES-CCMP, where a PMK derived from authentication is used as a seed for 
encryption initiation. 


TKIP (Temporal Key Integrity Protocol) was designed to replace WEP, to provide robust security without 
replacing legacy hardware. For this reason, TKIP re-use the same WEP encryption hardware: a key 
scheme based on RC4 is used, but unlike WEP, it encrypts every packet with its own unique (WEP) 
encryption key: a temporal key is generated for every sent packet that is derived from the previous 
temporal keys. The initialization vector (IV) is hashed instead of being sent in clear text, thus addressing 
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one of the largest WEP security flaws. TKIP provides per-packet key mixing, a message integrity check 
(MIC) and a re-keying mechanism, thus addressing other security issues with WEP. 


CCMP is built on the Advanced Encryption Standard (AES), which provides high encryption security. The 
CCMP guaranties packet integrity and authentication. Overall TKIP and AES-CCMP provide equal security 
robustness. 


4.1.2 Authentication using 802.1X 


802.1X relies on the EAP protocol (Extensible Authentication Protocol, RFC 3748) that permits the 
authentication of clients to unblock a port. EAP can run theoretically over multiple media including wired 
Ethernet and WLAN (In OneOS, EAP can only be applied on a WLAN interface). Three main components 
are found in the EAP protocol: 


e Supplicant: typically the WLAN client that initiates the authentication process. 
e Authenticator: typically the AP. It relays authentication requests to the authentication server. 


e Authentication server: the server effectively terminates the EAP session. If authentication is 
successful, the Authentication server passes encryption keys to the Authenticator so that an encrypted 
communication can take place between the AP and the WLAN client. The authentication server is an 
AAA RADIUS server. The authenticator relays EAP requests encapsulated in RADIUS packets. 
Therefore, the authentication server is a RADIUS server that must support EAP protocol extensions. 


EAP over LAN (EAPOL) is referred to as the 802.1X standard. EAP has a special protocol ID that 
differentiates EAP from other protocols (such as IP, IPX...) in LAN/WLAN headers. 


EAP is actually a container protocol that in turn supports multiple authentication protocol (EAP-TLS, 
PEAP...). The layered architecture is provided below: 


EAP-SIM PEAP EAP-TLS EAP-PSK 


EAP 


: 
E 
a 


802.1X 


802.3 Ethernet 802.11 WLAN 


2) 


Figure 3. EAP and encapsulation layers 


The EAP protocol provides a generic request-response framework. The authentication actually takes place 
within a protocol encapsulated in EAP. When EAP starts, the user must provide its identity. Upon the 
initiative of the RADIUS server, authentication starts. The RADIUS server sends challenges and expects 
responses, which are then translated to the client EAP-requests/responses. Once the authentication was 
successful, the RADIUS server forwards the Primary Master Key (PMk) to the AP. From the PMK, the AP 
can derive the encryption key to communicate with the client. 


The protocol encapsulated within EAP is rather transparent to the AP. When you configure an OneOS- 
based router to run in WPA mode, you can configure the WLAN clients with PEAP or EAP-TLS. The only 
requirement is that the clients be compatible with the RADIUS server. 


A summary diagram is presented below: 
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Supplicant Authenticator (AP) Auth. Server 


: EAPOL Start : 


EAP Request Identity 


: EAP Response: Identity 
ee RADIUS Access-request (Identity) 





Port is Open 


EAP Log-off 
ssxu_w_-— PB 
Port is Blocked 


Figure 4. EAP Message Flow 


4.1.3 WPA1.2, WPA2.0 and 802.11i 
WPA (Wireless Protected Access) version 1.2 defines TKIP & MIC algorithm to provide encrypted and 
authenticated traffic between WLAN clients and the AP. Authentication is realized via PSK or 802.1X. 


WPA 2.0 (or 802.111) requires CCMP (with AES as encryption algorithm) as a means to secure 
communication. 802.111 brings also some improvements to allow faster hand-offs between WLAN cells. 


4.1.4 Wireless for Multi-Media (WMM) 


WMM provides prioritization QoS. It defines four classes called “Access Categories” (AC) derived from 
IEEE 802.11d/p standard and improves the original Distributed Coordination Function (DCF) protocol by 
giving priority traffic for each classes (EDCF). The four ACs were designed for specific types of traffic as 
voice, video, best effort and lower priority data. But the network administrator is free to choose which traffic 
should have the appropriate priority. 





Wi-Fi QoS prioritizes packets based on DSCP, Precedence, 802.1q/p tag ... by assigning a Layer 2 CoS 
(Classes of Service) value of 1 to 7. The radio maintains four priority queues, one for each Access 
Categories. 
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The selection process of AC is made using 3 modes (see dot 11 gqos-mapping command): 


e DSCP-based only, this is default behavior: in this mode DSCP value is mapped to CoS value which in 
turn is mapped to an AC. The default mapping is as follows: 


DSCP Value CoS Value 





es ee 


3 


4 
(no Ga 


The DSCP mapping is configurable (see dot11 gos dscp-cos-mapping command). All possible 
DSCP values can be mapped to an appropriate CoS value, which in turn is mapped to an AC. 


e CoS-based value only: in this mode the current CoS value is mapped to an AC. Previous CoS value 
may result from a "match/set" done at the input interface. 


e Based on CoS value and (if CoS not set) based on DSCP: in this mode, if the current CoS value is 
set, it is mapped to an AC, otherwise the DSCP value is used, mapped to a CoS value (using default 
mapping or the defined mapping), which in turn is mapped to an AC. 


Enhanced DCF (EDCF) provides differentiate Distributed Coordination Function (DCF) access to the 
Access Categories. EDCF have an algorithm to resolve collision among different queues, which select the 
packet with the higher priority to transmit. 


The collision algorithm uses the Contention Window (CW) and the Arbitration Inter-Frame Space (AIFSN) 
parameters to prioritize the traffic. These parameters are defined for each AC. A backoff timer is calculated 
from a random value ranging from zero to a current CW (CW value is set initially to CWmin). If a collision is 
detected, the CW is doubled and a new random value is calculated thus resulting in a new backoff timer. 
The CW is doubled until a maximum CW value (the CWmax depends on the AC). After successful 
transmission, the CW is set again to CWmin. The highest priority queues have got short backoff times, CW 
and AIFSN. When the transmission becomes successful, the backoff timer is reset to the initial value. 


Two sets of values are used based on WMM Specification 1.1 rules and/or values. 


The first set_of values is applied by the AP for frames sent by the AP to wireless stations. These 
parameters are set using the CLI command dot11 gos class ... 





CWmin CWmax 


Voice 


Video 


Best Effort 


Background 





AIFSN Backoff 
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Values for the minimum and the maximum contention window (CW), and the slot time follow the rules 
defined by Table 15 of WMM Specification version 1.1. 


The equivalent Table 15 for OneOS-based routers is the following (default values): 





The second set of values is advertised from AP to wireless stations using the WMM Parameters Element 
IE provided in Beacon frames, Probe Response frames and Association Responses frames for QoS-STA. 


These parameters are set using the CLI command dot11 gos class-—bss ... 


Values for the minimum and the maximum contention window (CW), and the slot time follow the rules 
enacted by WMM Specification version 1.1 -Table 13. 


The equivalent Table 13 for OneOS-based routers is the following (default values): 





4.1.5 Wireless for Multi-Media Power-Save (WMM Power-Save) 


The WMM power-save procedures are based on the legacy procedures, but an option for Unscheduled 
Automatic Power-Save Delivery (U-APSD) is added. U-APSD is a solution well suited to the dynamic 
environments where WI-FI is typically deployed and allows the client to download all or some of the frames 
buffered by the access point during unscheduled Service Periods. 


When enabled, U-APSD feature is negotiated with Wi-Fi stations during the association with the AP. 
Disabling U-APSD implies the use of the legacy procedures. 
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4. 


2 


WIFI EXTEND COVERAGE 


WiFi is ubiquitous in the enterprise since PCs, PDA and smart phones now embed WiFi clients. In some 
cases the access router provides the WiFi access point feature (as for example in the OneOS-based router 
range), but the location of the access router or the size of the office could not allow covering the full 
geographical area. Adding one or more access points to have a full coverage is the solution but the 
management of all these access points may rapidly turn in a nightmare. 


The Access Point Controller (APC) is the software application included in OneOS that allow configuration 
and management in a centralized way of all the access points (AP). APC software and ONEAir1 AP 
together build the OneAccess WiFi extent coverage solution. 


ONEAir1 are business class 802.11 b/g WiFi access points. Compact and powerful ONEAir1 embeds 
enhanced features as Multi SSID (up to 4), VLAN and WMM/QOS management. Thanks to the Access 
Point Controller the ONEAir1 are associated to the OneOS-based router building so a secured WiFi 
Network. Up to 16 AP can be associated to the OneOS-based router. 


LAN 








ONE Router | OnedAir1 





uplink 
WLAN AP 





e Automatic channel selection 
and provisioning e Automatic reboot 

e Automatic configuration after firmware update 
and firmware update 


Easy OneAir1 installation 


e Remote OneAir1 access 


The main functions of the APC are: 

e Secured association with ONEAir1 AP. 

e AP automatic firmware and configuration update. 
e Centralized management of AP. 

e AP configuration profile management. 


e AP and WiFi client statistics collector. 
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4. 
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WIFI PROTECTED SETUP (WPS) 


WiFi Protected Setup (WPS) is a standard that simplifies the configuration of WiFi security parameters in 
WiFi terminals. 


WPS provides specific requirements for extending wireless networks to provide an In-Band (WiFi) 
communication channel to automatically configure a wireless network with a network name (SSID) and 
strong WPA data encryption and authentication, by typing a short PIN (numeric code) or pushing a button 
(Push-Button Configuration, or PBC). 


The following figure describes the major WPS components and their interfaces. 


REGISTRAR 







ENROLLEE 


The Enrollee (WiFi station) is the device seeking to join the WLAN domain. 


The Registrar is an entity with the authority to accept and revoke the Enrollee from the network. A 
Registrar may not have WLAN capability and may be integrated into the AP (Internal Registrar) or 
separate from the AP (External Registrar). 


With OneOS the Registrar is integrated on the AP and the WiFi Protected Setup State attribute in 
Beacon and Probe Response is set by default to configured because the AP is already configured with 
an SSID, an encryption/authentication mode and a strong key or passphrase. 


The In-Band (WiFi) is used as the default communication channel through EAP/802.1X transport protocol. 
As of V4.3R2E2 software release, WPS supported features are: 

e Internal registrar, 

e WPS support can be activated or deactivated by the user, 

e The default WPS method is PIN (8 digits), 

e The PIN method is implemented only as PIN entered manually by the user on the AP GUI. 
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4.4 CONFIGURING WLAN 


You must first configure the SSID logical sub-interfaces. Then, you can configure the dot11radio physical 
interface. 


Note that 4 SSID at most can be configured (unit number from 1 to 4) and the overall number of 
associated WLAN clients with OneAccess AP cannot exceed 32 clients. 


4.4.1 SSID Settings 
4.4.1.1 Common SSID Parameters 


By default, the access point indicates the SSID name in the beacon frame. WLAN clients scan the air and 
thereby get the list of SSID and AP, which they can associate with. This mode is referred to as SSID 
broadcasting or guest mode (because guest clients are invited to associate to advertised SSID). For 
security reasons, it is desirable to disable the guest-mode (default enable): 


CLI (configure)> interface dotllradio 0/0.<unit> 
CLI (config-if)> ssid <ssid-name> 
CLI (conf-ssid)> no guest-—mode 


On SSID using WPA or WPA-PSK authentication, the key for broadcast frames has to be refreshed 
periodically by performing a key rotation. The broadcast key is rotated every 1800 sec by default. Enter the 
following command to change the rotation period (in seconds): 


CLI (configure)> interface dotllradio 0/0.<unit> 

CLI (config-if)> ssid <ssid-name> 

CLI (conf-ssid)> broadcast-key change <30-100000000> 
The default period is set as follows: 

CLI (conf-ssid)> default broadcast-—key 
Intra-SSID filtering: in some cases, it is required to forbid a user attached to the AP to communicate with 
another user connected to the same AP. This can be required when you want that all packets first go 


through a firewall before being forwarded to another destination. This filtering type is always active 
(default) but can be disabled with the following command: 


CLI(conf-ssid)> [no] intraforwarding 
The number of associated clients can be controlled in order to preserve throughput performance within a 


radio cell. By default, up to 255 associations are allowed; the number of associations can be reduced by 
means of the following command: 


CLI (conf-ssid)> max-associations <1-255> 


4.4.1.2 | Open Authentication without Encryption 


In this mode, no encryption and no authentication are activated. The configuration is fairly straightforward. 


CLI (configure)> interface dotllradio 0/0.<unit> 
CLI (config-if)> ssid <ssid-name> 
CLI (conf-ssid)> authentication open 
CLI (conf-ssid)> encryption none 
CLI (conf-ssid)> exit 
( )> 


CLECCOnEPG—=acr ip address { <a.b.c.d> <mask> [secondary] | dhcp } 


Note: one must shutdown the interface when changing any authentication or encryption parameter. 
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4.4.1.3. Open Authentication with WEP Encryption 


In this mode, encryption is done via WEP key(s). You can define up to 4 keys; so 4 different users have 
their personal keys. With open authentication, actually, no authentication is done. The WEP key length can 
be 40, 104 or 128 bits long (respectively: 5, 13 or 16 characters long). Every key is registered in a key slot 
(ranging from 1 to 4) of the WLAN hardware. Keys are global to the AP, which means they are shared 
among the different SSID. That is the reason why only the default WEP keys are defined under each SSID 
and WEP keys are configured globally under the dot11radio 0/0 interface (see 4.4.1.7). 


interface dotllradio 0/0.<unit> 
ssid <ssid-name> 


CLI (configure 
Cll (CGnrig-Lt 


CLP (cont—seid authentication open 
CLI (cont=ssi0 default-key <1-4> 
Chi (cont—ssid exit 


( ) > 
( )> 
( be 
CLI (conf-ssid)> encryption { wep40 | wep104 | wep128 } 
( ) > 
( ) > 
( )> 


CEL (Conrig=2 5 ip address { <a.b.c.d> <mask> [secondary] | dhcp } 


With WEP encryption, you can force authentication whereby it is verified that the same shared key is 
configured on the AP and WLAN client. However, this mode is not recommended, as it is very easy for a 
hacker to derive the WEP key from authentication messages. The shared key authentication is enabled as 
follows: 


CLI (configure)> interface dotllradio 0/0.<unit> 
CLI (config-if)> ssid <ssid-name> 
CLI (conf-ssid)> authentication shared 


Note: one must shutdown the interface when changing any authentication or encryption parameter. 
4.4.1.4 Authentication WPA-PSK or WPA2-PSK 


In this mode, encryption is done via TKIP or AES-CCMP. You need to select the encryption mode and the 
pre-shared key. 


interface dotllradio 0/0.<unit> 
Chi. (contio-it ssid <ssid-name> 
Chi (ecni-ssid authentication { wpa-psk | wpa2-psk } 


CLI (configure) > 
( )> 
( Le 
CLI (conf-ssid)> encryption { tkip | aes-ccm } 
( )> 
( ee 
( }? 


CLE (cont —ssid passphrase <psk-string> 

CLE (eonit—ssid exit 

Cli (eontig=i17 ip address { <a.b.c.d> <mask> [secondary] | dhcp } 
The psk-string Is a String of up to 63 characters. 
To remove the passphrase, use the no passphrase command. 


Note: one must shutdown the interface when changing any authentication or encryption parameter. 
4.4.1.5 | Authentication 802.1X (WPA or WPA2) 


802.1X requires that all EAP frames be forwarded to a RADIUS server. Before configuring the 802.1X 
authentication mode, you must first configure the RADIUS servers dedicated to 802.1X authentication 
within an AAA group. An AAA group is configured as follows: 1) Configure some RADIUS servers. 2) 
Attach them inside an AAA group. Please refer to "AAA Configuration" section of "AAA (Authentication, 
Authorization and Accounting)" chapter in "OneOS — Admin User Guide" for more information. 


Declaration of a RADIUS server: 
CLI (configure)> radius-server <ip-address> <key> [<port>] 
[ <source-interface> <source-if-unit> J 
Attachment of a RADIUS server to an AAA group: 
CLI(configure)> aaa group server radius <group-name> 
CLI (config-sg-radius)> server <server-ip-address> 
Example: 


radius-server 10.0.0.200 shared_secret 1812 
aaa group server radius eap_radius 
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server 10.0.0.200 
exit 


If several servers are defined, OneOS will always contact the last RADIUS server in the list. 


Then, you can configure the SSID with the required encryption algorithm and associate the RADIUS server 


group. 
CLI (configure)> interface dotllradio 0/0.<unit> 
CLI (config-if)> ssid <ssid-name> 
CLI (conf-ssid)> authentication { wpa | wpa2 } <radius-—aaa-group> 
CLI (conf-ssid)> encryption { tkip | aes-ccm } 
CLI (conf-ssid)> exit 
CLI(config-if)> ip address { <a.b.c.d> <mask> [secondary] | dhcp } 


Note: one must shutdown the interface when changing any authentication or encryption parameter. 
4.4.1.6 | Mixed Authentication 


It is possible to allow the station to associate to the SSID with both authentication modes WPA or WPA2 
(respectively WPA-PSK or WPA2-PSk). By this mode you can ensure a good security level for most of 
stations with WPA2 (or WPA2-PSK) but you continue to accept old clients which support only WPA (or 
WPA-PSK). This authentication mode is only available with auto encryption security mode. 


In case of WPA or WPA-PSK, the encryption mode TKIP is automatically selected. 
In case of WPA2 or WPA2-PSK, the encryption mode AES-CCM is automatically selected. 
To configure mixed mode WPA or WPA2: 


CLI (configure)> interface dotllradio 0/0.<unit> 

CLI (config-if)> ssid <ssid-name> 

CLI (conf-ssid)> authentication wpa-mixed <radius-aaa-group> 

CLI (conf-ssid)> encryption auto 

CLI (conf-ssid)> exit 

CLI(config-if)> ip address { <a.b.c.d> <mask> [secondary] | dhcp } 


To configure mixed mode WPA-PSK or WPA2-PSK: 


interface dotllradio 0/0.<unit> 
ssid <ssid-name> 


CLI (configure 
CLL (contig=1f 


CLI (conft-—ssid authentication wpa-psk-mixed 
CLI(cont=ssid passphrase <psk-string> 
CLI (conf-ssid exit 


( jie 
( ) > 
( ) > 
CLI (conf-ssid)> encryption auto 
( Me 
( ) > 
( A 


Chi (Conta g=i-t ip address { <a.b.c.d> <mask> [secondary] | dhcp } 


Note: one must shutdown the interface when changing any authentication or encryption parameter. 
4.4.1.7 Global Interface Settings 


WEP keys are defined under the interface: 


CLI (config-if)> key-value <slot> <key-string> 


Reminder: The WEP key length can be 40, 104 or 128 bits long (respectively: 5, 13 or 16 characters long). 


When you have completed the dot11radio 0/0 configuration, you must enter the no shutdown command. 
This command activates the radio interface, which is "shutdown" by default. 


CLI (config-if)> no shutdown 
Limiting the transmit-power of the AP is necessary if interferences between neighboring cells must be 
reduced. The default transmit-power is set to its legal maximum: 


CLI (configure)> interface dotllradio 0/0 
CLI (config-if)> default power local 
CLI (config-if)> power local { full | min | half | quarter | eighth } 
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By default, the AP accepts client association running in 802.11n or 802.11g or 802.11b. The client 
associations can be filtered by using the command mode. This command is used to set the BBS Basic 
Rate Set and the Operational Rate Set as specified by the 802.11 standard. A client must support all Basic 
Rates to be associated with the AP. The mode is common to all SSID. The following command accepts 
two arguments, first one is mandatory and second one is optional. 


CLI (configure)> interface dotllradio 0/0 

CLI (config-if)> mode { 11b [11-only|11b-only] 
| lig [11g-only] 
| 11borl1g [11-only]|11b-only|11b-and-11g|11g-only] 
| 11borllgorlin } 


The different modes are summarized in the following table, rates are in Mbps. 
11bori11g 


or11n 
(default) 


11bor11g 
(default when 802.11n not available) 


Optional 
11b-only | 11b-and- ; 11g-only 


yess] 12 1.25.5,11 pore 612,24 6.12.24 1.25.5,11 


1,2,5.5,11 

6,9,12,18 
24,36,48,54 
MCS0O to 15 


132,050: 1) 
1,2,5.5,11 1,2,5.5,11,6,9,12,18,24,36,48,54 6,9,12,18 
24,36,48,54 


Operational 
rates 


STA mode 802.11b 802.11b 802.11b 802.11b 802.11b 


ableto | 802.119 | 802.119 | 802.11g| 802.11g see ea a 802.119 
associate 802.11n 802.11n 802.11n 802.11n 802.11n 





Note that some combinations are equivalent. 


The transmission rate is selected dynamically using a rate control algorithm. The transmission rate can be 
forced to a specific value using the following command. The argument best enables the rate control 
algorithm and is the default behavior. Setting a speed value forces the transmission rate of all frames 
except control frames (ACK, RTS, CTS, PS-Poll) and Beacon frames. The rate control algorithm is then 
disabled so that first frame is always transmitted at this rate, but if this frame is not acknowledged, it can 
be retransmitted with a lower rate. Allowed values for this parameter depend on the mode as described 
previously (note that mi stands for MCSi as described in 802.11n). When the user changes mode 
parameter, speed parameter is reset to default value, regardless of its former value. 


CLI (configure)> interface dotllradio 0/0 

CLI (config-ssid)> speed { best | 1 | 2 | 5.5 | 11 
| 6 | 9 | 12 | 18 | 24 | 36 | 48 | 54 
| mo | m1 | m2 |... | m13 | m14 | m15 } 


The number of associated clients can be controlled in order to preserve throughput performance within a 
radio cell. By default, up to 255 associations are allowed; the number of associations can be reduced by 
means of the following command: 


CLI (configure)> interface dotllradio 0/0 
CLI (config-ssid) > max-radio-associations <1-255> 


The radio channel is selected within the 2.4 GHz band. The radio channel is selected as the channel 
number (ranging from 1 to 13; 11 being the default value) or as the frequency (from 2,412 to 2,472 MHz). 
Be aware that not all channels are authorized by regulation authorities where the product is installed. For 
your information, all 13 channels are authorized within EMEA except France. To force the regulatory 
domain, use the command dot11 location ... (see next section). To force the channel: 


CLI (configure)> interface dotllradio 0/0 
CLI (config-if)> channel { <1..13> | 2412 | 2417 | .. | 2472 } 


If you want to restart channel scanning, enter the following command in global mode: 


CLI> dot1il restart 


Bridging & LAN User Guide Page 4.4-49 of 89 


ONEOS V4.3R4 /V5.1R3 BRIDGING & LAN USER GUIDE (EDITION 10) 


You can select the preferred mode when the AP is equipped with 2 antennas. The default mode (antenna 
diversity) is recommended, because it dynamically selects the antenna providing highest performance. 
Note that this command is deprecated in software releases with 802.11n available. 


CLI (configure)> interface dotllradio 0/0 
CLI (config-if)> antenna select { left | right | diversity } 


Clear Channel Assessment (CCA) threshold is specified to be -62 dBm to meet IEEE 802.11 specification. 
The next command allows increasing this threshold in some noisy environments where channel is 
considered busy without any 802.11 valid frames. You should keep the default CCA value unless you 
notice that the channel is busy although there is no traffic (idle activity should be less than 4% in show 
dot1il channel-activity). Having an idle channel detected as busy can result in bad throughput 
performance. However, do not set CCA to a high value as it degrades reach (stations far from the AP send 
with a weak signal; the received signal can be weak enough to be under CCA threshold). Note that this 
command is deprecated in software releases with 802.11n available. 


CLI (configure)> interface dotllradio 0/0 
CLI (contig=1£)> cea. <—62..<0> 


The beacon period is the time interval between two consecutive beacon frames. 


CLI (config-if)> beacon period <20-1000> 


The default beacon period is configured in milliseconds. Default is 100 msec. To restore the default 
beacon period: 


CLI (config-if)> default beacon period 


Some optimizations have been brought to the 802.11 protocol in order to maximize autonomy of battery- 
powered devices such as WLAN mobile phones. The DTIM field in the beacon frame (Delivery Traffic 
Indication Map) indicates whether there are some packets waiting to be sent to a power-saving device. 
The DTIM count provides the periodicity after which the power-saving device should wake up, examine the 
beacon frame and sleep again if there are no frames addressed to the device. By default, the DTIM count 
is 2, t.e. the DTIM field is included in the beacon frame in every 2 beacon frames. To override the default 
DTIM count: 


CLI (config-if)> beacon dtim <1-100> 


To restore the default DTIM count: 


CLI (config-if)> default beacon dtim 


The RTS threshold is the quantity of data that must be accumulated for sending within the AP before trying 
to request access to medium (i.e. sending a Request-To-Send -RTS- frame). Setting a short RTS 
threshold is often beneficial to throughput, as small packets do not have to wait unnecessarily. RTS 
threshold = O provides the best performance with one WLAN station and AP for TCP-based flows (as TCP 
ACK are sent without waiting, TCP flow control increases the emission rate). Setting a high threshold is 
recommended when the traffic profile is verbose and bursty (ex: on a bridge AP). To set the RTS threshold 
(in bytes, default value 2347 bytes): 


CLI (config-if)> default rts threshold 
CLI (config-if)> rts threshold <0-2347> 


The fragmentation threshold is the maximum frame size emitted on the WLAN medium, resulting of the 
fragmentation of a packet. A high fragmentation threshold is recommended if you want the best throughput 
whereas a low fragmentation threshold is recommended if you want the best reach (fragmentation 
improves robustness towards a high bit error ratio, but adds protocol overhead). To set the fragmentation 
threshold (in bytes) and set the default value (2346 bytes): 


CLI (config-if)> fragmentation-threshold <256-2346> 
CLI (config-if)> default fragmentation-threshold 


Source MAC address filtering (Station filtering): it might be desirable to accept frames only from selected 
Stations (i.e. received frames with certain MAC source addresses). In some other cases, it may be useful 
to ban a user (i.e. only drop frames with certain source MAC addresses). By default, this mode is always 
activated. 


For filtering configuration, first enter in SSID configuration mode: 


CLI (configure)> interface dotllradio 0/0 
CLIN CGontig=—1.2 ) > 


Bridging & LAN User Guide Page 4.4-50 of 89 


ONEOS V4.3R4 /V5.1R3 BRIDGING & LAN USER GUIDE (EDITION 10) 


For source MAC address filtering, the filtering mode must be selected. If the mode is allow (default), you 
will then enter the list of client MAC addresses, which are allowed to connect to AP. If the mode is deny, 
you will then enter the list of client MAC addresses, which are NOT allowed to connect to AP. To disable 
such filtering please enter the mode none. The MAC addresses are entered by means of the acl-add 
command (respectively removed by acl-del). An optional alias name can be associated to the MAC 
address to facilitate the understanding of the result of the debug and show commands (see 4.7). 


CLI (config-if)> acl-mode { allow | deny | none } 
CLI (config-if)> acl-add <AA>:<BB>:<CC>:<DD>:<EE>:<FF> [alias <alias>] 
CLI (config-if)> ael-del <AA>:<BB>:<CC>:<DD>:<EE>:<FF> 


4.4.2 WMM and U-APSD Parameters 


The "QoS WMM" and the "Power-Save mode (U-APSD)" functionalities are configured inside interface 
dot11radio configuration mode. "QoS WMM'" is enabled by default while U-APSD is not. 


To disable QoS WMM: 
CLI (configure)> interface dotllradio 0/0 
CLI (config-if)> no dot1l qos wmm 
To enable QoS WMM (with or without U-APSD — Note that U-APSD needs QoS WMM enabled): 
CLI (configure)> interface dotllradio 0/0 
CLI (config-if)> dot1ll qos wmm [uapsd] 
Note: to apply this change one must reboot the device after having saved the configuration. 
To disable U-APSD (only): 
CLI (configure)> interface dotllradio 0/0 


CLI (config-if)> no dot1ll qos wmm uapsd 


The configuration of access categories (AC) queues parameters for the AP is done in interface 
configuration mode. For each AC, an intermediate node is used to configure queues parameters. To enter 
in an AC intermediate node: 


CLI (configure)> interface dotllradio 0/0 
CLI (config-if)> dot1ll gos { class | class-bss } 
{ background | best-effort video voice } 
CLI (config-if-qosclass) > 
To configure a minimum Contention Window: 


CLI (config-if-gqosclass)> cw-min <min-value> 


To restore the default minimum Contention Window (refer to 4.1.4 for default values): 


CLI (config-if-qosclass)> default cw-min 


To configure a maximum Contention Window: 


CLI (config-if-qosclass)> cw-max <max-value> 


To come back to the default maximum Contention Window (refer to 4.1.4 for default values): 


CLI (config-if-qosclass)> default cw-max 


To configure a fixed backoff slot time: 


CLI (config-if-qosclass)> £ixed-slot <0Q-15> 


To restore the default fixed backoff slot time (refer to 4.1.4 for default values): 


CLI (config-if-gosclass)> default fixed-slot 
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4.4.3 


4.4.4 


To configure a transmit opportunity in usec (value is rounded in p times 32 usec): 


CLI (config-if-gosclass)> transmit-op <value> 


To restore the default transmit opportunity in usec (refer to 4.1.4 for default values): 


CLI (config-if-gosclass)> default transmit-—op 


The AC selection mode defines if the AC is selected from CoS value, DSCP or both. By default, the AC is 
taken from the DSCP value. To configure the AC selection mode: 


CLI (config-if)> dot1ll qos mapping-mode { dscp | cos | both } 
To configure the explicit mapping of DSCP to CoS enter in DSCP-CoS mapping-mode then enter the 
mapping. DSCP value can be entered using directly the ad-hoc code-point (0-63) or using PHB names 


(see "Services" section in "QOS Features" chapter of "OneOS — Basic IP User Guide" document) or Class- 
Selector names (RFC 2474). 


CLI (config-if)> dot11l qos dscp-cos-mapping 
CLI (dscp-cos-mapping)> dsep <dscp-value> cos <0Q-7> 
To remove an explicit mapping: 


CLI (dscp-cos-mapping)> no dsecp <dscp-value> cos <0-7> 
802.11n Aggregate MAC PDU parameter 


802.11n allows the aggregation of multiple medium access control protocol data units (A-MPDU) at the 
physical layer (PHY). A-MPDU aggregation is enabled by default. 


To disable A-MPDU feature (in interface configuration mode): 


CLI (config-if)> no ampdu 


To re-enable A-MPDU feature: 

CLI (config-if)> ampdu 
Note: the commands depicted in this chapter are only relevant for 802.11n capable devices. Otherwise the 
following message is displayed: 

CLI (config-if)> ampdu 

not available on 802.11 bg device 
By default, when activated, 32 A-MPDU sub-frames are aggregated in an A-MPDU frame. To modify the 
number of A-MPDU sub-frames: 


CLI(config-if)> ampdu packet <2-64> 


To return to the default value (32): 


CLI (config-if)> default ampdu packet 


By default, when activated, the maximum size of an A-MPDU frame is 65535 bytes. To modify the size: 


CLI(config-if)> ampdu size <1024-65535> 


To return to the default value (65535): 


CLI(config-if)> default ampdu size 


Global 802.11 Parameters 


The radio working mode is "plug and play". The AP auto-detects free channels and configures the transmit 
power (max. 18 dB, bit rate dependent). A country code is used to identify the regulatory domain. Both 
regulatory domain and wireless mode (802.11b or 802.119 or 802.11n) are used to build the channel list 
by scanning the regulatory domain table and pick up the channels with matching wireless modes. To set 
the ISO country code: 


CLI (configure)> dot1ll location isoce <country-code> 
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The country-code is ISO encoded country code: fr, us, gb, ch, es, pl, nl, de... You will find the 
exact country list by entering the show dot11 country table command. 


When TKIP is activated on a SSID, MIC (Message Integrity Check) verifies received packet integrity. If 
2 MIC integrity check failures are observed within 60 seconds, the station is de-associated and its key is 
dropped. As a counter measure, the corresponding WLAN station is held off for the hold-off period, 
which 60 seconds is by default: 


CLI (configure) > dot11l tkip-countermeasure <hold-off-—in-seconds> 


To reset the default hold-off time: 


CLI (configure)> dot1ll tkip-countermeasure 


The dot1x client timeout parameter is the amount of time that the AP waits for the client to answer to EAP 
messages. Otherwise, the EAP negotiation fails. 


CLI (configure)> dot1lx client-timeout <seconds> 


To reset the default value (80 seconds): 


CLI (configure)> dot1lx client-timeout 


The dot1x server timeout parameter is the amount of time that the AP waits for the server to answer to 
EAP messages. Otherwise, the EAP negotiation fails. 


CLI (configure)> dotlx server-timeout <seconds> 


To reset the default value (8 seconds): 


CLI (configure)> dotlx server-timeout 


The reauthentication period is the time interval in seconds between which a client must re-authenticate to 
the server to negotiate a new master key: 


CLI (configure)> dot1lx reauth-period <30-4294967295> 


By default, reauthentication takes place every 60 seconds; to restore the default value: 


CLI (configure)> dotlx reauth-period 


The aging parameter determines the time period after which an inactive station is disassociated by the AP. 
By default, an inactive station is disassociated after 300 seconds. To change this aging period in seconds: 


CLI (configure)> dot1ll aging-timer <10..3600> 


An aging period below 120 seconds must not be used unless it is for test purposes. The accuracy of this 
aging timer is 60 seconds: the association table is scanned every minute. Stations whose inactivity period 
is greater than the aging timer are disassociated. In other words, in the worst case, the inactive stations is 
dissaciated after (aging-timer + 60) seconds. 


4.4.5 Configuration Examples 


WPA-PSK: 


configure terminal 
interface dotllradio 0/0.1 
ssid hotspotl 
authentication wpa-psk 
passphrase 0OA112233445566 
intraforwarding 
exit 
ip address 192.168.0.1 255.255.255.0 
exit 


interface dotllradio 0/0 
acl-mode allow 

acl-add 00:12:17:98:81:9d 
no shutdown 
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exit 


Open Mode: 


configure terminal 
interface dotllradio 0/0.1 
ssid hotspot2 
authentication open 
encryption none 
intraforwarding 
exit 
ip address 192.168.0.1 255.255.255.0 
exit 
interface dotllradio 0/0 
acl-mode allow 
acl-add 00:12:17:98:81:9d 
no shutdown 
exit 


WEP, 40-bit-long Key: 


configure terminal 

interface dotllradio 0/0.1 
ssid hotspot3 
authentication open 
encryption wep40 
default-key 1 
intraforwarding 

exit 

ip address 192.168.0.1 255.255.255.0 

exit 

interface dotllradio 0/0 
acl-mode allow 

acl-add 00:12:17:98:81:9d 
key-value 1 abcde 

no shutdown 

exit 


802.1X: 


configure terminal 
radius-server 10.0.0.200 shared_secret 1812 
aaa group server radius eap_radius 
server 10.0.0.200 
exit 
interface dotllradio 0/0.1 
ssid hotspot4 
authentication wpa eap_radius 
encryption tkip 
intraforwarding 
exit 
ip address 192.168.0.1 255.255.255.0 
exit 
interface dotllradio 0/0 
acl-mode allow 
acl-add 00:12:17:98:81:9d 
no shutdown 
exit 


4.4.6 Configuring Bridging on a WLAN Interface 


If you wish a WLAN client to access a Microsoft Network on the wired LAN (to access shared directories or 
a printer), the solution is that the WLAN interface and the LAN interface be managed within the same IP 
network. Furthermore, MAC frames must be bridged (without IP routing) from WLAN to LAN and vice 
versa. 
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In order to activate bridging, you must declare a bridge virtual interface (BVI) and attach it to the LAN and 
WLAN sub-interfaces. Refer to 6.2. 


The BVI interface is declared as follows: 


Chi 
Cit 
CEI 
Cid 


configure)> interface bvi <id> 
config-if)> ip address <ip> <mask> 
config-if)> bridge-group <bridge-id> 
config-if)> exit 


i ~—a ~~ 


Then, attach the same bridge-id under LAN and WLAN sub-interfaces: 


CLI (configure)> interface dotllradio 0/0.<unit> 
CLI (config-if)> bridge-group <bridge-id> 

CLI (config-if)> exit 

CLI (configure)> interface fastEthernet 0/0 

CLI (config-if)> bridge-group <bridge-id> 

CLI (config-if)> exit 


Example: 


interface bvi 1 

ip address 192.168.1.1 255.255.255.0 
bridge-group 101 

exit 

interface fastethernet 0 
bridge-group 101 

exit 

interface dotllradio 0/0.1 
ssid hotspot3 
intraforwarding 
authentication open 
encryption wep40 
default-key 1 

exit 

bridge-group 101 

exit 

interface dotllradio 0/0 
acl-mode allow 

acl-add 00:12:17:98:81:9d 
key-value 1 abcde 

no shutdown 

exit 


4.4.7 Configuring a native VLAN on a WLAN Interface 


To bridge the data traffic between the radio interface and a VLAN interface (FastEthernet or ATM or ...), it 
is necessary to add a native 802.1q header to the packets received on the radio interface, and inversely to 
control and remove an 802.1q header from the packets sent to the radio interface. 


To set an 802.1q VLAN ID and optionally an 802.1q priority, use the following command in logical interface 
level: 


CLI (configure)> interface dotllradio 0/0.<unit> 
CLI (config-if)> native-dot1Q <vlan-id> [default-pri <0-7>] 
To remove the native VLAN on the WLAN interface, use the no form of the command: 


CLI (configure)> interface dotllradio 0/0.<unit> 
CLI (config-if)> no native-dot1Q 
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4. 


5 


CONFIGURING APC 


Note that the APC configuration is only available after having entered, using the sw-right command, the 
license key dedicated to your OneOS-based router and corresponding to the software license you bought 
(APC-8 or APC-16 license). 


To enable the AP controller and enter in APC configuration mode, use the following command in global 
configuration mode. Use the no form of the command to disable the AP controller. 


CLI(configure)> [no] ap-controller 
CLI (config-apc) > 


Warning: disabling the AP controller erases the whole APC configuration including the profile files 
that have been created. 


To define how the APC will manage the configuration of the AP, use the following command in APC mode: 


CLI (config-apc) > provisionning-mode { discover | template | none } 


e none: (default value) the same configuration is sent to all the AP. This configuration is taken from the 
webroot/bsaStart.cfg file. 


e discover: as the AP are discovered the configuration taken from the webroot/bsaStart.cfg.nn 
file is sent (nn from 01 to 16). 


e template: as the AP are discovered the configuration described in a virtual profile and associated to 
the AP is sent. 


To define a virtual profile that contains the command lines of the configuration to send, use the following 
command in APC configuration mode. Use the no form of the command line to remove the virtual profile. 


CLI(config-apc)> [no] virtual-profile <vitual-profile-name> 
CLI (config-vprofile) > 


The command lines can then be directly entered using the set command and /or taken from a file using 
the source-file command and / or taken from another profile using the source-profile command. 
All entered command lines are gathered in the virtual profile taking into account their sequence-line- 
number In ascending order (use the recount command to renumber the various command lines if 
needed). Use the no form of the commands to remove a command line, a source file or a source profile 
description. 


> [no] set <sequence-line-number> <command-line> 
> [no] source-file <filename-path> 

> [no] source-profile <vitual-profile-name> 

> exit 


CLI (config-vprofile 
CLI (config-vprofile 
CLI (config-vprofile 
( 
( 


ee a a 


CLI (config-vprofile 
CLI(C6ntig=ape) > 


To associate a profile with an AP, use the following command in APC configuration mode. Use the no form 
of the command to remove the association. 
CLI(config-apc)> [no] profile-associate <AP-MAC-addr> <virtual-profile- 
name> 
To associate a default profile with other AP those have not been explicitly associated use the following 
command in APC configuration mode. Use the no form of the command line to remove the default profile. 
CLI(config-apc)> [no] profile-default <virtual-profile-name> 


The AP controller monitors the presence of the AP using a keepalive method. This keepalive method is 
activated by default and sends a keepalive message every 30 seconds (default value). When an AP does 
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not answer to the keepalive message, the APC tries 3 more times (default value) before de-associate the 
AP. The latter will then reboot and re-associate. To modify the default values, use the following commands 
in APC configuration mode: 


CLI (config-apc)> keepalive frequency <15-1200> 

CLI (config-apc)> keepalive retries <2-60> 
To apply the default value again, use the following commands in APC configuration mode: 

CLI (config-apc)> default keepalive frequency 

CLI (config-apc)> default keepalive retries 
To deactivate the keepalive process, use the no form of the command. To re-activate the keepalive 
process with the default values, use the command without parameter. 


CLI (config-apc)> no keepalive 
CLI (config-apc)> keepalive 


To start the AP controller, use the no shutdown command then exit. 


CLI (config-apc)> no shutdown 
CLI (config-apc)> exit 
CLI (configure) > 


Note: as well as for the APC that needs being shutdown to be configured, the AP need also to be 
shutdown to be configured. Think to place the shut down command in the profile to send to the AP. 


An AP updates its software and configuration when it starts, periodically depending on its configuration 
and when it re-associates. To force an AP to update (i.e. getting its configuration from the virtual profile 
that has been created) use the following command in global mode: 


CLI> ap-controller auto-update-start <AP-MAC-addr> 


Events sent by the AP/APC association can be logged to the syslog-server embedded in the APC. When 
enabled the syslog server stores the events into two flip/flop files located in the ramdisk root 
syslogSrvTracesl.log and syslogSrvTraces2.1log that each contains up to 150 events (lines). 


The syslog server is TCP based and listen to TCP port 1468. The syslog server is disabled by default. To 
enable syslog server, use the following command in configuration mode: 


CLI (configure)> syslog-server enable 
The syslog server is available from a non-default VRF. Use the following command to set the VRF. Use 
the no form to return to the default VRF. 


CLI(configure)> [no] syslog-server vrf <vrf-—name> 


To disable the syslog server (default value), use the following command in configuration mode: 


CLI (configure) > syslog-server disable 


To attach the syslog-server to a specific interface, use the following command (in global mode): 


CLI> [no] bind syslog-server <interface> 


To permit syslog server access from any interface, which is the default configuration, use the following 
command (in global mode): 


CLI> bind syslog-server any 


To display statistics about the syslog-server, use the following command (in global mode): 


CLI> show syslog-server statistics 


To debug more information about the syslog-server, use the following command (in global mode): 


CLI> [no] debug syslog-server 
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Example: 


Ssw-right APC-8 f74a3efcbc3d612064a30f67d7d27£77 


no reboot recovery-on-error 
logging buffered size 16364 
ap-controller 
virtual-profile ADMIN 


set 
set 
set 
set 
set 
set 
set 
set 
set 
set 
set 
set 
set 
set 
set 
set 
exit 


10 configure terminal 

15 hostname oneair 

30 interface fastethernet 0/0.2 
40 bridge-group 2 

50 no ip address 

60 encapsulation dotlgq 3001 
70 exit 

80 interface dotllradio 0/0.1 
90 bridge-group 2 

100 no ip address 

110 exit 

160 interface bvi 2 

170 bridge-group 2 

180 exit 

190 apc-collector disable 

195 exit 


virtual-profile WIFI 
source-profile ADMIN 


set 
set 
set 
set 
set 
set 
set 
set 
set 
set 
set 
set 
set 
set 
set 
set 
set 
set 
set 
set 
set 
set 
exit 


90 configure terminal 

100 interface dotllradio 0/0.1 
105 shutdown 

110 ssid apc_apc 

120 authentication wpa-psk 

130 encryption tkip 

140 passphrase ****kxkxxkk* 

150 exit 

175 no shutdown 

180 exit 

310 interface dotllradio 0/0 
315 shutdown 

330 acl-add 00:01:02:03:04:05 
340 acl-add 00:02:04:06:08:0a 
1400 acl-add ff:ee:dd:cc:bb:aa 
1410 acl-add ff:dd:bb:99:77:55 
1420 key-value 1 abcde 

1430 dotil qos wmm 

1440 channel least-congested 
1450 no shutdown 

1460 exit 

1470 exit 


virtual-profile ap_1l 
source-profile WIFI 


set 
set 
set 
set 
set 
set 
set 
set 
exit 


10 configure terminal 

20 hostname ap_1l 

30 interface dotllradio 0/0 
40 shutdown 

50 channel 1 

60 no shutdown 

70 exit 

80 exit 


virtual-—profile ap_2 
source-profile WIFI 


set 
set 
set 
set 
set 
set 
set 


10 configure terminal 

20 hostname ap_2 

30 interface dotllradio 0/0 
40 shutdown 

50 channel 6 

60 no shutdown 

70 exit 
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set 80 exit 
exit 
profile-associate 00:11:22:33:44:55 ap_1l 
profile-associate Of:0e:0d:0c:0b:0a ap_2 
profile-default WIFI 
provisioning—-mode template 
no shutdown 
exit 
hostname apc 
interface FastEthernet 0/3 
ip address 192.168.1.30 255.255.255.0 
exit 
interface Bvi 2 
ip proxy-arp 
ip address 172.17.71.211 255.255.252.0 
encapsulation dot1Q 3001 
bridge-group 2 
exit 
interface FastEthernet 0/0.2 
encapsulation dot1Q 3001 
bridge-group 2 
exit 
interface FastEthernet 1/0.2 
encapsulation dot1Q 3001 native 
bridge-group 2 
exit 
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4.6 CONFIGURING WPS 


Note: prior configuring WPS, the physical and logical WiFi interfaces have to be fully configured 
(SSID, authentication, encryption, IP layer, no shutdown, etc). 


To enable WiFi Protected Setup (WPS), use the following command in SSID configuration mode: 
CLI (configure)> interface dotllradio 0/0.<unit> 
CLI (config-if)> ssid <ssid-name> 
CLI (conf-ssid)> wps enable 
To disable WPS (default value), use the following command in SSID configuration mode: 
CLI (conf-ssid)> wps disable 
By default the PIN code method is the only WPS registration method allowed. To allow also the push 
button configuration method, use the following command in SSID configuration mode: 


CLI (conf-ssid)> wps method pbc 


To return to the default value (PIN code method only): 


CLI (conf-ssid)> wps method pin 


To use the pin code method, first start the process (according to the vendor specifications) on the WPS 
station enrollee that is going to be authenticated (the OneOS AP is the registrar). Then enter the PIN code 
provided by the enrollee using the following command in global mode: 


CLI> dot11l wps pin <pin-code-value> 0/0.<unit> 
Use the show dot1l1 wps status command to display the result of the WPS process. 
To use the push button configuration method, first start the process (according to the vendor 


specifications) on the WPS station enrollee that is going to be authenticated (the OneOS AP is the 
registrar). Then simulate the AP bush button using the following command in global mode: 


CLI> dot11l wps pbc-push 0/0.<unit> 


Use the show dot1l1 wps status command to display the result of the WPS process. 
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4.7 WLAN DEBUGGING AND STATISTICS 


The list of active debugs is displayed by show debug; Active debugs are deactivated by no debug. 


To facilitate the understanding of the result of the following debug and show commands, it is possible to 
associate alias names to the MAC addresses so the alias is displayed instead of the MAC address value. 


To associate an alias name to a MAC address, use the following command in interface dot11radio 
configuration mode (see also the acl—add command). 


CLI (config-if)> dot1ll alias set AA:BB:CC:DD:EE:FF <alias> 


To display the SSID using either MAC address value or alias name, use the following command in 
interface dot11radio configuration mode (default full—mac). 


CLI (config-if)> dot11l alias display ssid { full-mac | alias } 
To display a station using full MAC address value or MAC address value with OUI name or alias name, 
use the following command in interface dot11radio configuration mode (default full-mac). 


CLI(config-if)> dot11l alias display station { full-mac | oui-mac |alias } 


To debug WLAN client association and radio layer events, use the following debug command: 


CLI> debug doti1l1 [error <level>] 


To display 802.1X protocol message as well as WPA-PSK traces: 
CLI> debug dot1ix [aaa | eap | key] 


To display information sent in beacon frames (if you choose a debug level, be careful: lots of traces are 
generated): 


CLI> debug doti1l beacon <level> 
CLI> no debug dot11 beacon 


To display information about probe frames (if you choose a debug level, be careful: lots of traces are 
generated): 


CLI> debug dot1l1l probe <level> 
CLI> no debug dot11 probe 
To display information about dot11 initialization (displays what happens during ‘no shutdown’): 
CLI> debug doti1l1 init <level> 
CLI> no debug dotl1l1 init 
To display information about association and authentication: 
CLI> debug dotl1l1l mgt <level> 
CLI> no debug dotl1l1 mgt 
To display all information related to a specific station: 
CLI> debug dot11 station <MAC-address> { all |arp | dhcp | dotix | errors 


| mgt | power-—save | probe } <level> 


CLI> no debug dot11 station [{ all |arp | dhcp | dotix | errors 
mgt power-save | probe }] 


To capture the 802.11 frames and to decode frames in Wireshark, the capture utility can be used (refer 
to "Capturing Packets" chapter of "OneOS — Admin User Guide" document.). 
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To display the WLAN IP interface configuration: 


CLI> show ip interface dotilradio 


To display the WLAN IP interface statistics: 


CLI> show interfaces dotllradio 


To display the WLAN configuration: 


CLI> show dot11 config 


To display the list of attached WLAN clients: 


CLI> show dotl1ll1l association 


To display detailed statistics of attached WLAN clients: 
CLI> show dotl1l station 


To display detailed statistics of keys: 
CLI> show dotl1l key 


To display the information contained in beacon frames: 
CLI> show dotl1l beacon [0/0.<unit>] 


To display the WLAN firmware version: 
CLI> show dot1l version 
dotllradio 0/0 revisions: mac 128.2 phy 13.0 analog 12.0 
PCI Vendor ID: 0x1l6e8c,. Device ID: 0x29 
Sub Vendor ID: 0xil68e, Sub Device ID? 0x29 
Chip is Atheros 9280 


Eeprom Major Version 14, Minor Version 21 
802.1l1in capable 


To display MAC address cache for MAC authentication and to clear MAC address cache: 
CLI> show dot1l mac-cache 
CLI> clear dot1l mac-—cache 

To display information related to a specific SSID: 


CLI> show dotl1l radio-interface [0/0.<unit>] 


To display QOS WMM information: 
CLI> show doti1l qos 


To display QOS WMM DSCP current mapping to Cos: 
CLI> show dot1l1l gos dscp-—qos-mapping 


To clear QoS WMM queues statistics: 


CLI> clear dot1l gos counters 


To display information about AP controller association process messages: 
CLI> debug ap-controller association 
CLI> no debug ap-controller association 

To display information about AP controller kKeepalive process messages: 
CLI> debug ap-controller keepalive 
CLI> no debug ap-controller keepalive 

To display information about AP controller profile process messages: 


CLI> debug ap-controller profile 
CLI> no debug ap-controller profile 
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To display the AP controller associations and to suppress AP controller associations: 


CLI> show ap-controller association [detailed] 
CLI> clear ap-controller association [<AP-MAC-addr>] 


To display the AP controller keepalive statistics and to clear keepalive counters: 


CLI> show ap-controller keepalive statistics 
CLI> clear ap-controller keepalive counters 


To display AP controller provisionning mode: 


CLI> show ap-controller provisionning-—mode 


To display AP controller profile associate information: 


CLI> show ap-controller profile-assoc 


To display an AP controller virtual profile: 


CLI> show ap-controller virtual-profile <virtual-profile-name> 


To display AP controller default profile information: 


CLI> show ap-controller default-profile 


To display the associated-AP WLAN information through the APC: 


CLI> show ap-controller dot1l1l <parameter> [<AP-MAC-addr>] 


Refer to the show dot11 command for the parameter possible values. 


To display information about WPS process messages: 


CLI> debug doti1l1 wps 
CLI> no debug dot11 wps 


To display the current status of WPS registration (ongoing registration if not terminated or last registration): 


CLI> show doti1l1 wps status 
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5 VIRTUAL LAN AND PRIORITY TAGGING 
Virtual LAN (VLAN) is a technique to logically divide a network into small (generally layer-2) segments, 
which share the same physical media, but not the traffic. This section describes the main features of 
VLAN, VLAN Based Routing and their configuration. 
In addition, a LAN switch device is available on the OneOS-based product series. Please check the 
release notes of the hardware platform to see if such a switch is present in your product. If a LAN switch is 
present, switched VLAN and/or bridge can also be configured. 

5.1 VLAN FEATURES 

5.1 Introduction to VLAN 


Depending on hardware platform, one or all of the following functions can be available: 
e VLAN based routing, available on all platforms. 


e LAN switching/routing without VLAN, available only if multi-port Ethernet module is present on the 
product. 


e LAN switching/routing with VLAN, available only if multi-port Ethernet module is present on the 
product. 


The ONE10 does offer neither port-based routing nor port-based VLAN. 


VLAN is often viewed as an information broadcast domain in a switched network. It is a way to logically 
group end stations, servers, located on different physical LAN segments. Hosis on the same VLAN can 
exchange messages regardless of their physical location as if they were on the same LAN segment. 


VLAN provides a different method to segment networks rather than using physical separation. For 
example, stations from the same project, or the same team, or the same department, or the same 
application, can be grouped in a VLAN. Traffic for the same VLAN is generally switched or bridged among 
different LAN segments. 


There are several methods to define VLAN in an organization. The most commonly used methods include: 


e Port based VLAN. VLAN membership is specified by ports. For example, ports 0, 2 and 3 form VLAN 
1, ports 1 and 4 form VLAN 2. 


e MAC address based VLAN. VLAN membership is specified by a group of MAC addresses. Using this 
method, a station can be moved from a port to another without problem. 


e Layer 3 defined VLAN. VLAN membership is specified by layer 3 or higher layer information, for 
example, by using IP addresses. 


A port based VLAN is shown in the following figure. Between ports of the same VLAN, traffic is switched or 
bridged, which gives better performance and flexibility. Traffic between different VLANs can be routed by 
the IP layer. As such, different VLANs are also separated by different network addresses. For example, in 
the following diagram (showing a router with a VLAN-enabled Ethernet switch), traffic between port 2 and 
port 3 is switched as they are part of the same VLAN. Traffic between port 1 and port 2 is routed as they 
do not belong to the same VLAN. 
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On an OneOS-based router without LAN switch, it is allowed to create up to 255 VLANs if needed on a 
physical LAN port. On an OneOS-based router with a LAN switch, one single VLAN can be configured per 
port. 


If more than one VLAN sub-interface is configured, layer-two switching is not possible. 


Each VLAN should be identified by a VLAN ID, also known as VLAN tag. VLAN frames are encapsulated 
in IEEE 802.1Q defined VLAN format, which prescribes a new VLAN header to be inserted after the IEEE 
802.3 header. The format of VLAN frames is shown in the following figure: 


6 bytes 6 bytes 4 bytes 2 bytes 4 bytes 





EtherType 0x8100 [PRI] CFI VLAN ID 


16 bits 3 bits 1bit 12 bits 


e PRI: User Priority 
e CFI: Canonical Frame Identifier 
e FCS: Frame Check-Sum 
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5.1 


3.1 


.2 


3 


802.1q Tunneling 


802.1q tunneling is a key feature required for some layer-2 services. It enables the transport of customer 
Ethernet traffic over a Carrier Ethernet infrastructure. The customer traffic can be VLAN-tagged and/or 
untagged Ethernet traffic. Customer VLANs (C-VLAN) are transported transparently through one or more 
VLANs provisioned by the service provider (S-VLAN), using the Q-in-Q encapsulation. In carrier Ethernet 
service, the LAN interface, which is the connectivity delivered by the telecom operator, is referred to as 
User-to-Network Interface (UNI). The WAN interface connected to the Carrier Ethernet network is also 
called Network-to-Network Interface (NNI). 


802.1q tunneling in OneOS is a feature applied on the UNI. The architecture of 802.1q tunneling is 
represented below: 


VLAN Switch port 
Known C-VLAN or 
untagged Rule? 





The traffic from LAN (or User-To-Network Interface —UNI-) is processed as follows: 


e After going through the port and optionally input QOS (policing, marking), the traffic is mapped against 
the dot1gq mapping rules: 


o If the frame matches a designed C-VLAN ID matching a VLAN-ID based rule, the associated 
dot1q header (S-VLAN) is added and 802.1p is copied; else: 


o If the frame has no VLAN tag and there is a rule to process untagged traffic, the associated 
dotiq header is added and 802.1p is copied; else: 


o The default rule is applied, which can be to add a S-VLAN tag or to drop traffic. 
e Then the frame is processed by the bridging module. 
The traffic from WAN (or Network-To-Network Interface —NNI-) is processed as follows: 
e Frames come from the bridge. Then: 


o = If the outer VLAN-ID (S-VLAN) matches a VLAN-based rule, the inner and outer VLAN are 
checked. If matching, the S-VLAN is popped and the frame is bridged, otherwise, the frame is 
dropped. 


o If the outer VLAN-ID (S-VLAN) matches a default rule (default S-VLAN), the S-VLAN is 
removed. 


o If the outer VLAN-ID does not match any known S-VLAN, the frame is dropped. 
e Then the frame is processed by outbound QOS. 


It is possible to select the "drop" action for unknown VLAN-ID or untagged traffic. It means the VLAN 
switch port function can also be used as VLAN filters. The Ethernet Type for Q-in-Q encapsulation can be 
configured. 


Priority Tagging 


The standard 802.1d and 802.1p define the three priority bits in VLAN header as indicated the packet 
priority. The priority is a value ranging from 0 to 7. The priority is mapped into access categories. Some 
Ethernet switches are able to manage queues with strict priority queuing based on the priority value. 
Priority queuing means that a queue can transmit if the medium is free and the queues of higher priority 
are empty. Switch interfaces on OneAccess products do not support this queuing. The default 
categories are: 
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OneOS-based products are able to tag Ethernet packets with the desired priority as well as classifying 
incoming packets based on their VLAN priority. 802.1p marking is available on all interfaces that support 
802.1Q encapsulation. 


The following interfaces support VLAN configuration: 
e Ethernet/FastEthernet sub-interfaces 

e ATM AAL5 sub-interfaces 

e Dot11radio sub-interfaces 

e BVI (over Ethernet/FastEthernet/WiFi/IPoA) 


e EFM sub-interfaces 


As of V4.2R5E6 software release, double-tagged (or stacked) VLANs are available according to 802.1ad. 
Double-tagging is also known as 802.1Q-in-Q. 


The following interfaces support Q-in-Q configuration: 
e Ethernet/FastEthernet sub-interfaces 
e ATM AAL5 sub-interfaces 


e BVI interfaces 
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VLAN CONFIGURATION COMMANDS 


A VLAN interface is a virtual sub-interface created on a physical Ethernet interface, namely: FastEthernet, 
EFM (over G.SHDSL.bis), ATM-AAL5, Bridge virtual interface (BVI). Multiple VLAN sub-interfaces can be 
configured on a single physical interface. To create a VLAN interface, use the following command in global 
configuration mode. (To delete a VLAN interface, use the no form of the command). 


CLI (configure)> interface { ethernet <slot>/<port>.<sub-interface> 

| fastethernet <slot>/<port>.<sub-interface> 

| gigabitethernet <slot>/<port> <sub-interface> 
| atm-aal5 <slot>.<port>.<sub-interface> 

| bvi <id> 

| efm <slot>/<port>.<sub-interface> } 


Sub-interface number must be specified and must be in the range from 1 to 255. This command, if 
successful, enters in interface configuration mode. 


In order for a VLAN interface to function, a VLAN ID must be set using the following command in interface 
configuration mode. (To remove dot1Q encapsulation, use the default encapsulation command). 


CLI (config-if)> encapsulation dot1Q <vlan-id> [default-pri <0-7>] 
[native] 


vlan-id Is an integer ranging from 1 to 4095. It has no default value. If the keyword native is present, 
this VLAN becomes a native VLAN. On native VLANs, only IEEE 802.3 encapsulation is used (no VLAN 
header is included in the frame). They are targeted for use with LAN stations, which are part of a VLAN but 
not able to decode IEEE 802.1Q encapsulated frames (use of conventional Ethernet frames). Only one 
single native VLAN per port can be declared as no VLAN header is present to discriminate two VLANs. 
default-pri Is the default VLAN priority. The native parameter is still available after default-pri 
keyword; this can make sense for use with WLAN interface. If policy-based routing or IP QoS have tagged 
the priority bits, the default-—pri value is overridden. 


To remove the default priority, enter the command: 


CLI (config-if)> encapsulation dot1Q <vlan-id> [native] 


The native mode is supported on the switch of the OneOS-based routers as of V3.7R11. 


To create a Q-in-Q VLAN interface, use the following command in global configuration mode: 


CLI (configure)> interface { fastethernet <slot>/<port>.<sub-interface> 
| gigabitethernet <slot>/<port>.<sub-interface> 
| atm-aal5 <slot>.<port>.<sub-interface> 

| bvi <id> } 


Sub-interface number must be specified and must be in the range from 1 to 255. This command, if 
successful, enters in interface configuration mode. 


In order for a VLAN interface to function in Q-in-Q mode, a service provider VLAN ID (S-VLAN) and a 
customer VLAN ID (C-VLAN) must be set using the following command in interface configuration mode: 


CLI (config-if)> encapsulation dot1Q <S-vlan-id> [default-pri <0..7>] 
[second-—dot1Q <C-vlan-id>] [native] 


S-vlan-id and C-vlan-id are integers ranging from 1 to 4095. They have no default value. See the 
encapsulation dot1Q <vlan-id> command above for more information. 


To configure dotiq tunneling, first enter in interface configuration mode (physical Ethernet port which can 
be considered as UNI, not under VLAN sub-interfaces): 
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CLI (configure)> interface { fastethernet <slot>/<port> 
| gigabitethernet <slot>/<port>} 


The rules for dot1g tunneling are configured via the next command, which can be repeated several times 
for several VLANs: 


CLI (config-if)> switchport vlan mapping { <C-vlan-id> 
<C-vlan-id-range-start>-<C-vlan-id-range-end> 
| default | untagged } dotlgq-tunnel <S-vlan-id> 


The command above defines the C-VLAN ID to be tunneled in an S-VLAN or the range of S-VLAN ID. The 
keyword default means any frame with a VLAN header will be encapsulated in the designated S-VLAN 
(default: disabled). That does not include the untagged traffic, which would be by default dropped, unless 
entering a rule with the untagged keyword. 


To remove dotig tunneling rules: 
CLI (config-if)> no switchport vlan mapping { <C-vlan-id> 
| <C-vlan-id-range-start>-<C-vlan-id-range-end> 
| default | untagged } 
The Ethernet Type field value for Q-in-Q encapsulation can be set as follows (default: 0x8100): 
CLI (config-if)> [no] dotlq tunneling ethertype { 0x9100| 0x88a8| 0x8100 } 


In order for a VLAN interface to function as a routing interface, an IP address must be set. To do it, use the 
following command in interface configuration mode: 


CLI (config-if)> ip address <address> [<mask>] [secondary] 


You can configure any IP services on such sub-interfaces, such as NAT, ACL, QoS, policy-routing, etc ... 


To delete an IP address, use the no form of the above command. 
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5.3 VLAN STATISTICS 


To display statistics about the existing VLAN, use the following command: 


CLI> show vlans 

802.10 Virtual LAN: FastEthernet 0/0.1, VLAN ID: 10 
IN: 8 packets, 628 bytes 

OUT: 6 packets, 524 bytes 

802.10 Virtual LAN: Ethernet 0/0.1, VLAN ID: 20 

IN: 11 packets, 1456 bytes 

OUT: 10 packets, 1346 bytes 


To display information about the existing bridge groups, use the following command: 


CLI> show bridge-group 

Bridge group 1: 

FastEthernet 0/0.10, FastEthernet 0/2.10, FastEthernet 0/3.10 
Bridge group 2: 

FastEthernet 0/1.20, FastEthernet 0/1.20 





5.4 VLAN DEBUG AND TRACE 


To enable IP interface debugging, use the following command: 


CLI> debug ip interface 


To disable IP interface debugging, use the no form of the above command. 
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6 BRIDGE VIRTUAL INTERFACE (BVI) AND 
LAN SWITCHING 

6.1 BRIDGE INTRODUCTION AND FEATURES 

6.1.1 Setting Up an Ethernet Switch 


An Ethernet switch is a network component that can bridge Ethernet frames between its Ethernet ports. 
The Ethernet switch keeps track of MAC addresses associated with ports, so that the switch knows where 
to forward an Ethernet frame based on the destination MAC address. When the switch is connected to a 
router via a single port, the router "sees" workstations connected to this switch as a LAN network; they are 
reachable through a physical Ethernet interface. 


When the switch is built in the router, the routing software still "sees" these workstations as a LAN network. 
The difference is that they are not reached via a physical interface but rather through a virtual interface, 
called Bridge Virtual Interface (BVI). 


FastEthernet interfaces (physical Ethernet ports) and sub-interfaces (VLAN sub-interfaces) can be 
member of a BVI and thus form an Ethernet switching group. The BVI membership is defined by using the 
same bridge-group ID on FastEthernet interfaces/sub-interfaces. 


A BVI interface is "up" as long as at least one interface having the same bridge-group ID is "up". A BVI 
interface is "down" when all BVI member interfaces are "down". 


The following diagram show how a router with a 5 port-switch can be divided into 2 Ethernet switches by 
configuring 2 BVI: 


Routing Software 


192.168.1.1/24 10.100.1.1/24 


FastEthernet | FastEthernet | FastEthernet | FastEthernet | FastEthernet 
0/0 0/1 0/2 0/3 0/4 





Note: in previous OneOS releases, BVI interfaces did not exist. Therefore, switching was configured that 
way on an Ethernet switch: 
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interface fastEthernet 0/0 

ip address 192.168.1.1 255.255.255.0 
bridge-group 2 
exit 

interface fastEthernet 0/1 
bridge-group 2 
exit 


It is strongly recommended to use BVI interfaces instead. The previous method is supported but 
deprecated, as the BVI offers a better state management of the interface. 


Multiple MAC Addresses 


The standard behavior is that the router has a single MAC address facing the switch. Even if the router has 
different BVI groups or routed FastEthernet ports on the switch, the router is addressed by the same MAC 
address. This feature is useful with VRRP to avoid that a firewall drops packets with the same IP and 
different MAC. Also, the standard behavior is recommended if the router is connected to another switch via 
several ports (to avoid loops). However, multiple MAC addresses can be assigned. 


6.1.2 Integrated Routing and Bridging (IRB) and PVC Multiplexing Layers 


The purpose of IRB is to provide a bridging service between LAN/VLAN interfaces and ATM PVCs. The 
bridging architecture is represented below: 


Virtual 
Ethernet 


Interface 
IP Module 


NAT/Firewall/QoS/Routing 


Bridge (BV1I) 





Bridge Interfaces Bridge Interfaces IPoA, PPPoE 


Ethernet Ethernet oe PVC Multiplexing Other PVC 


/VLAN /VLAN 


In the previous example, the BVI interfaces had the following role: 
e Create a virtual interface, seen from the IP routing software. 


e Activate hardware-based layer-two switching between Ethernet ports (or VLAN sub-interfaces) in the 
switching component. 


How Bridging Works 


With the IRB function, bridging between different interfaces (other Ethernet ports, ATM interfaces) is 
possible via software. If a packet coming from the LAN has a destination Ethernet address that matches 
the BVI MAC address, the packet is forwarded to the IP module and it is routed. If the destination MAC 
address is not the BVI MAC address, bridging applies. 


At the beginning, the bridge has no entries in its cache to record the match between a MAC address and 
an interface port. An IP station tries to learn the MAC address of its default IP gateway. A MAC ARP- 
request is sent. The bridge forwards the ARP request to all interfaces, including to the IP module. It 
enables the station to learn the MAC address of the virtual Ethernet interface of the IP module. Then, the 
IP stations use the learned MAC address as destination MAC address when a packet must be sent over 
the WAN. 


When a frame enters an interface, there are two cases: 


e Either the bridge has "learned" that the MAC destination address designates a station found on the 
same LAN as the port. Therefore, the Ethernet frame does not need to be bridged to another port. A 
"local filtering" is thus achieved. The learning is an auto learning process: when the local filtering 
intercepts an Ethernet frame, the source MAC address of which is unknown, the MAC address is 
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recorded in the local filtering table of the interface. The total number of recorded MAC addresses is a 
maximum of 4096 stored in a 1024-code hash table. In case of hash code collision the new MAC 
address to be learnt replaces the oldest MAC address stored for this hash code. 


e Or the MAC destination address is unknown in the local filtering table and the frame is forwarded to 
internal bridging component. 


The bridging sub-component maintains a similar table as the local filtering. When a frame enters the 
bridging module, the software searches throughout the table whether the MAC destination address is 
known or not. If the address is unknown, the frame is broadcasted to any interface (except the interface, 
which the frame is from). If the address is known, the table entry provides the interface, to which the frame 
shall be sent. The table is built by inserting new table entries when a frame is received: if the MAC source 
address is unknown in the table, the MAC address and the interface where the frame was received is 
recorded in the table. The total number of recorded MAC addresses depends on the sub-component 
available memory. In case new MAC addresses must be learnt, the new MAC address replaces the oldest 
MAC address stored. 


About PVC Multiplexing 


To multiplex traditional IP packets (encapsulated in IPoA) and bridged Ethernet frames in the same AAL-5 
PVC, a special header (LLC/SNAP) must be added at the beginning of the AAL-5 payload. The LLC/SNAP 
header defines the payload type (RFC 2684), which enables to differentiate IPoA encapsulation from 
bridged Ethernet frames. When PPPoEOA is multiplexed with other bridged flows, the discrimination 
between the flows is done by examining the destination MAC address of incoming Ethernet frames. If the 
destination MAC address of such incoming frames matches the PPPoE PVC MAC address, the frame is 
forwarded to the PPPoE software module, otherwise it is forwarded to the bridging software module. 
Therefore it is mandatory that the LLC/SNAP encapsulation be used when you need IRB. 


QoS Management on PVC Multiplexing Interface 


Flows are prioritized not according to their origin (IPoA, PPPoE, and Bridge Ethernet) but rather based on 
an internal packet tagging. This tag indicates whether a packet is a priority frame or not. The tag is a flag in 
a memory context associated to the packet, but the tag is not a field in the packet. If the frame is tagged 
and IRB is enabled on that interface, the frame is inserted at the beginning of the emission queue (transmit 
ring), so that the frame get absolute priority and low latency. 


Tagging is implicit: when a packet is processed through an output QoS policy and if the packet is matched 
by a priority class, the packet is tagged. 
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BVI CONFIGURATION 


The first step is to declare the BVI interface and to assign IP parameters: 


CLI (configure)> interface bvi <1..255> 
CLI(config-if)> ip address { dhcp | <ip-address> <netmask> } 


A BVI is just a standard IP interface where you can configure any type of IP services such as ACL, NAT, 
QoS, routing, ... By default, the BVI interface uses the FastEthernet 0/0 MAC address with no VLAN 
encapsulation. That means that frames with a VLAN tag are not switched by default. 


To have frames with a VLAN tag being switched, you must assign a VLAN ID to the BVI interface by 
entering the following command (where <1..4095> is the VLAN ID value) under BVI interface 
configuration mode: 


CLI (config-if)> encapsulation dot1Q <1..4095> 
If you would like that the VLAN tag be removed on a specified FastEthernet sub-interface, please enter the 
following command under FastEthernet sub-interface configuration mode: 


CLI (config-if)> encapsulation dot1Q <1..4095> native 


The keyword native tells the router that the VLAN tag must be removed. In that case, only one sub- 
interface is allowed on this port. 


To remove dot1Q encapsulation, use the following command: 


CLI (config-if)> default encapsulation 


You must then specify a bridge-group ID. A bridge-group ID is a unique, arbitrary identifier designating BVI 
membership of physical interfaces. 


CLI (config-if)> bridge-group <1..255> 
CLI (config-if)> exit 


Using dot1Q encapsulation, frames with the ad hoc VLAN tag are switched by the BVI while frames with 
another VLAN tag are not switched. To make all frames with a VLAN tag being switched regardless of the 
VLAN tag value (VLAN transparency), use the following command in global configuration mode (instead of 
the dot1Q encapsulation command): 


CLI(configure)> [no] bridge-group <1..255> transparency 


Use the no form of the command to remove VLAN transparency. 


By default, the table of MAC addresses of a bridge group contains 1,024 MAC addresses; this size can be 
changed in global configuration mode: 


CLI (configure) > bridge-group <1..255> mac-address-table limit <10..4096> 


To set the default value: 


CLI(configure)> default bridge-group <1..255> mac-address-table limit 


MAC address learning is a processing that the bridge records the association between a port and a MAC 
address when it receives a frame with this source address on a port. Then, a bridged frame with that same 
MAC address set as destination is forwarded to that port. If MAC address learning is disabled, a frame 
entering the bridge is flooded to all other ports (i.e. it is replicated and forwarded to all other ports). MAC 
address learning is enabled by default as it avoids sending unnecessary traffic and consumes less CPU. 
However, it can be disabled with the next command: 


CLI (configure)> no bridge-group <1..255> mac—address-—learning 
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MAC address learning is re-enabled in this way: 


CLI (configure)> bridge-group <1..255> mac-address-—learning 


By default IGMP snooping (defined in RFC 4541) is enabled on the bridge group if a BVI interface exists 
for this bridge group. Use the following command in global configuration mode to disable IGMP snooping: 


CLI (configure)> no ip igmp-snooping bridge-group <1. .255> 


Note that IGMP snooping is automatically disabled for the bridge group is the BVI interface is deleted. 
IGMP snooping is re-enabled in this way: 


CLI (configure)> ip igmp-snooping bridge-group <1..255> 


Then, you must declare in each bridged interface to which bridge group they belong. The command syntax 
is as follows: 


CLI (configure)> interface { ethernet <slot>/<port>[.<if-—-id>] 
| fastethernet <slot>/<port>[.<if-id>] 
| gigabitethernet <slot>/<port>[.<if-id>] 
| atm <slot>[.<if-id>] 
| atm-aal5 <slot>.<port>[.<if—-id>] 
| bvi <if-id> 
| dotllradio <slot>/<port>[.<if-id>] 
| efm <slot>.<port>[.<if-id>] 
| virtual-template <if-id> 
} 


CLI (config-if)> bridge-group <group-id> 


Warning: 


A BVI interface must be considered as a virtual FastEthernet interface. It is therefore not possible to do per 
interface routing, but routing based on next-hop. The MAC address of next-hop is resolved per ARP and 
must be within BVI network. The next—hop IP cannot be the BVI IP. 


Invalid example: 


interface bvi 1 

ip address: 102100. 1 2d 255275555255:.-0 
bridge-group 10 
exit 
interface fastEthernet 0/0 

bridge-group 10 
exit 

! Wrong: cannot route on this interface 
Lp route 0.0.0.0 0.0.0.0 Dva. 1 


Valid example: 


inmverrace: bya: a 

ip address 10.100.1.1 255.255.255.0 
bridge-group 10 
exit 

interface fastEthernet 0/0 

bridge-group 10 
exit 

!10.100.1.2 is part of 10.100.1.1/24 network 
! The static route below is then valid 
ip: route 0.0.0 70) 0.02020. 10,100.01 .2 
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6.3 MULTIPLE MAC ADDRESSES ON SWITCH PORTS 


Warning: this functionality may lead to degraded performance when enabled on ONECell25, 
ONE60, ONE100A and ONE200. 


To allow OneOS to use many MAC addresses, use the next command (default: disable): 


CLI (configure) > multi-mac-address { enable | disable } 


If multi-mac-—address Is enabled: 
e Fast or Gigabit Ethernet ports of the switch interface with an IP address get a different MAC address. 


e If VRRP is used, the virtual router can use a virtual MAC address for the VRID and a physical MAC 
address for Fast or Gigabit Ethernet ports simultaneously. 


e One can assign MAC addresses to BVI or VLAN interfaces (default MAC remains the Mac address of 
Fast or Gigabit Ethernet 0/0). If the MAC address is changed, OneOS checks that the new MAC is 
different from the MAC assigned to another BVI or VLAN. 


To set the MAC address on VLAN/BVI: 


CLI (configure)> interface { bvi <id> 

| fastethernet <slot>/<port>.<vlan-id> 

| gigabitethernet <slot>/<port>.<vlan—id>} 
CLI (config-if)> mac-address { <xx:xx:xx:xXxX!XxX:XX> 

| mac5 | mac6 | mac7 

| default mac-address } 


mac5, mac6, mac7 are available MAC addresses as listed by show product-info-area command. 


Show command: 


CLI> show system statistics multi-mac-—address 
### Multi MAC Address feature is ACTIVE 
nb multi-mac feature enable Z 
nb multi-mac feature disable di 
nb get physical addr. req. 6 
nb add logical addr. req. 1 
nb del logical addr. req. +. 0 
nb addr. get from PIA © © 
nb addr. added in filter 7 
nb addr. removed from filter 0 
nb delete all addr. in filter : 2 
### CTRL_O MAC Address Filter 
4 MAC Addr. in the filter : 
00:12:EF:04:8A:6C 
OO; LA. EFS O08 7SA* 6C 
QO0r12 EF: 0C+8As6C 
00:12:EF:14:8A:6C 
### CTRL_1 MAC Address Filter 
QO MAC Addr. in the filter : 
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6.4 BRIDGE EXAMPLES 


6.4.1 Simple Ethernet Switch 


The following configuration activates layer-2 switching on FastEthernet ports #0 to #3: 


interface bvi 1 

ip address 192.168.1.1 255.255.255.0 
bridge-group 10 

exit 

interface fastethernet 0/0 
bridge-group 10 

exit 

interface fastethernet 0/1 
bridge-group 10 

exit 

interface fastethernet 0/2 
bridge-group 10 

exit 

interface fastethernet 0/3 
bridge-group 10 

exit 


6.4.2 VLAN Ethernet Switch 


On the next configuration, there is one BVI: it is VLAN-based (VLAN ID = 101). Port #0 is a true VLAN 
port, whereas Port #1 is member of this VLAN without the VLAN header. 


Warning: such configuration is not possible on the ONE10 as a single VLAN per port is supported. 


interface bvi 1 

ip address 192.168.1.1 255.255.255.0 
bridge-group 1 

encapsulation dot1Q 101 
exit 

interface fastethernet 0/0.1 
encapsulation dot1Q 101 
bridge-group 1 
exit 

interface fastethernet 0/1.1 
encapsulation dot1Q 101 native 
bridge-group 1 
exit 


6.4.3 Simple ATM Bridging 


The following example shows an Ethernet interface that is bridged over an ATM PVC. 


interface bvi 1 

ip address 192.168.1.1 255.255.255.0 
bridge-group 10 
exit 
interface fastethernet 0/0 
bridge-group 10 
exit 
inteface atm 0.1 

pvc ipoa vpi 8 vci 35 

ip address 10.10.10.12 255.255.255.0 

gos ubr 2304000 

execute 

exit 
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bridge-group 10 
exit 


6.4.4 IP Encapsulation in IPoEOoA 


The following example shows how to send IP packets encapsulated in Ethernet. 


interface bvi 1 
ip address 10.100.1.1 255.255.255.0 
bridge-group 10 
exit 
interface atm 0.1 
pvc ipoa vpi 8 vci 35 
ip address 10.1.1.1 255.255.255.0 
gos ubr 2304000 
execute 
exit 
bridge-group 10 
exit 
ip route 0.0.0.0 0.0.0.0 10.100.1.2 


6.4.5 Priority-Queuing with IPOoEOA and PPPoEOoA 


The following example is the same as the previous one, except that we want IPoE to have absolute priority 
over the PPPoEOA flow. 


class-map takeall 
match any 
exit 
policy-map absolute-prio 
! Class-—default is actually not used, but the configuration 
! requires that its bandwidth be not empty 
class class-—default 
bandwidth percent 1 
exit 
class takeall 
priority percent 99 
exit 
exit 
interface bvi 1 
ip address 10.100.1.1 255.255.255.0 
bridge-group 10 
service-policy output absolute-prio 
exit 
interface atm 0.1 
pvc pppoeoa vpi 8 vci 35 
username **** 
password **** 
ipep dynamic 
gos ubr 2304000 
execute 
exit 
ip nat inside overload 
bridge-group 10 
exit 


6.4.6 ATM Bridging with VLAN Mapping 


The objective of VLAN mapping is to bridge flows from VLAN ID 101 on PVC #1 and VLAN 202 on 
PVC #2. 


interface bvi 1 
ip address 192.168.1.1 255.255.255.0 
bridge-group 101 
encapsulation dot1Q 101 
exit 
interface bvi 2 
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ip address 10.100.1.1 255.255.255.0 
bridge-group 202 

encapsulation dot1Q 202 
exit 
interface fastethernet 0/0.1 
bridge-group 101 
exit 
interface fastethernet 0/0.2 
bridge-group 202 
exit 
interface atm 0.1 

pvc ipoa vpi 8 vci 35 

ip address 10.10.10.10 255.255.255.0 

gos ubr 2304000 

execute 

exit 

bridge-group 101 
exit 
interface atm 0.2 

pvc ipoa vpi 8 vci 36 

ip address 10.10.12.12 255.255.255.0 

gos ubr 2304000 

execute 

exit 

bridge-group 202 
exit 


6.4.7 Several VLAN over one PVC 


The following example creates an ATM PVC (VPI 8, VCI 35) with 3 VLAN (10, 20, and 30) in the PVC. 


configure terminal 
interface atm 0 
driver ident 0 
max vp 8 
max vc 8 
range vp min O max 20 
range vc min O max 500 
execute 
exit 
gshdsl 
linerate fixed 2304 
execute 
exit 
exit 
virtual-template pvc 1 
execute 
exit 
interface atm-aal5 0.1 
pvc vpi 8 vci 35 
profile-pvc 1 
exit 
exit 
interface atm-aal5 0.1.10 
ip address 10.10.10.10 255.255.255.0 
encapsulation dot1Q 10 
exit 
interface atm-aal5 0.1.20 
ip address 20.20.20.20 255.255.255.0 
encapsulation dot1Q 20 
exit 
interface atm-aal5 0.1.30 
ip address 30.30.30.30 255.255.255.0 
encapsulation dot1Q 30 
exit 
exit 
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The following example adds layer 2 QoS over VLAN to the previous example. 


configure terminal 
class-map cvlan10 
match vlan 10 
exit 
class-map cvlan20 
match vlan 20 
exit 
class-map cvlan30 
match vlan 30 
exit 
policy-map pvlan10 
class cvlan10 
bandwidth percent 30 
exit 
exit 
policy-map pvlan20 
class cvlan20 
bandwidth percent 30 
exit 
exit 
policy-map pvlan30 
class cvlan30 
bandwidth percent 40 
exit 
exit 
policy-map atmpvc 
class cvlan10 
service-policy pvlan10 
exit 
class cvlan20 
service-policy pvlan20 
exit 
class cvlan30 
service-policy pvlan30 
exit 
exit 
interface atm 0 
driver ident 0 
max vp 8 
max vc 8 
range vp min O max 20 
range vc min O max 500 
execute 
exit 
gshdsl 
linerate fixed 2304 
execute 
exit 
exit 
virtual-template pvc 1 
execute 
exit 
interface atm-aal 0.1 
pvc vpi 8 vci 35 
profile-pvc 1 
exit 
service-policy output atmpvc 
exit 
interface atm-aal5 0.1.10 
ip address 10.10.10.10 255.255.255.0 
encapsulation dotliq 10 
exit 
interface atm-aal5 0.1.20 
ip address 20.20.20.20 255.255.255.0 
encapsulation dotlq 20 
exit 
interface atm-aal5 0.1.30 
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ip address 30.30.30.30 255.255.255.0 
encapsulation dotlq 30 

exit 
exit 


6.4.8 PPPoEoVLAN over ATM 


For an example of PPP over Ethernet over VLAN (PPPoEoVLAN) over ATM configuration, please refer to 
"Generic PVC configuration example" section in "ATM Generic Permanent Connections (Generic ATM- 
AAL5 PVC)" chapter of "OneOS — WAN User Guide" document. 





6.5 BRIDGE DEBUG & SHOW FUNCTIONS 


To view the bridge group cache: 


CLI> show bridge-group cache [<group-id>] 


To clear the cache content for all groups: 


CLI> clear bridge-group cache [<group-id>] 


To debug issues related to bridge configuration: 


CLI> debug bridge 
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7 


SOFT-GRE PSEUDOWIRES 





Tz 


1 


INTRODUCTION TO PSEUDOWIRES 


Pseudo Wire Emulation Edge-to-Edge (PWE3) is a mechanism that emulates services such as ATM, 
Frame Relay or Ethernet over a Packet Switched Network. The required functions of pseudowires include 
encapsulating service-specific PDUs arriving at an ingress port, and carrying them across a path or tunnel, 
managing their timing and order, and any other operations required to emulate the behavior and 
characteristics of the service as faithfully as possible. 


The figure below illustrates the PWE3 Network Reference Model. 


Pseudo Wire emulated Ethernet Service 


) Pseudo Wire > 


Packet Switched Network 
5 


1 
. 
2 

~*~ 


Access / Aggregation ige3=» = MPLS/VPLS 
network we network 


Provider Edge (PE) 
Label Switching Router (LSP) 





Switch 


DSLAM 


This chapter describes the OneOS-based implementation for the transport of Ethernet in a GRE 
encapsulated MPLS pseudowire. The Ethernet MPLS pseudowire encapsulated in a GRE tunnel enables 
service providers to carry Ethernet Protocol Data Units (PDUs) across a layer-3 access and aggregation 
network and deliver the Ethernet PDUs in a MPLS (Multi Protocol Label Switching) / VPLS (Virtual Private 
LAN Service) network. 


The OneOS PWE3 implementation conforms to the Pseudo Wire Emulation Edge-to-Edge (PWE3) 
Architecture described in RFC 3985. 


The Ethernet PDU encapsulation within the pseudowire conforms to Encapsulation Methods for Transport 
of Ethernet over MPLS Networks (RFC 4448). The two following modes of operation (pseudowire type 4 
and 5) are supported: 


o _Port-to-port mode — in this mode the Ethernet frame might or might not have an 802.1q VLAN 
tag. However the presence of a tag is not meaningful to both ingress and egress pseudowire 
endpoint routers. 


o VLAN-to-VLAN mode — in this mode each Ethernet frame must contain an IEEE 802.1q VLAN 
tag. The tag value is meaningful and is used to map input Ethernet frames to the 
corresponding pseudowire. 


The pseudowire is carried over the access/aggregation network by means of a GRE tunnel as described in 
RFC 4023. The pseudowire packet is encapsulated in a GRE packet that consists of: 
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o An IP header, 


o A GRE header — The protocol type field must be set to the Ether Type value for MPLS — 
Unicast (0x8847) or Multicast (0x8848) -, 


o The pseudowire packet (payload). 
The GRE tunnel provides a data path for the pseudowire. 


Note: the pseudowire encapsulation within GRE uses soft-GRE tunnels. The tunnel exists only in the 
sense of GRE encapsulation and decapsulation and cannot be used as a routing interface on the router. 
The GRE encapsulation does not require the pre-configuration of a GRE tunnel interface on the router, the 
GRE encapsulation only exists within the pseudowire context. As a consequence, GRE keepalive are not 
used in this context. In addition the protocol extensions described in RFC 2890 (Key, Sequence) are not 
carried in the GRE header used for the pseudowire transport. 


The OneOS quality of service (QoS) feature can be used so as to set the EXP field of the MPLS label and 
the DSCP field of the GRE outer IP. 


The following functions are out of the scope of the current solution design: 


o LDP/T-LDP — LDP is not implemented for the setup and maintenance of pseudowires as 
described in RFC 4447, 


o Control Word — The pseudowire "control word" defined in the chapter 4.6 of the RFC 4448 is 
not implemented. 
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7.2 


CREATING A PSEUDOWIRE ON AN INTERFACE 


In interface configuration mode the following commands can be used to create a soft-GRE based 
pseudowire. Currently pseudowire configuration is only possible on FastEthernet and GigabitEthernet 
interfaces and their sub-interfaces. Multiple pseudowire instances can be configured. 


Direct configuration of soft-GRE source address 
CLI (config-if)> xconnect local-ip <local-ip> peer-ip <peer-ip> 
in-label <in-label> out-label <out-—label> 
Configuration of soft-GRE tunnel with source address from a specific interface 
CLI(config-if)> xconnect <if-name> <if-number> peer-ip <peer-ip> 
in-label <in-label> out-label <out-—label> 
Configuration of soft-GRE source address based on outgoing interface 
CLI(config-if)> xconnect any peer-ip <peer-ip> 
in-label <in-label> out-label <out-—label> 
The pseudowire configuration can be removed from an interface with the following command: 


CLI (config-if)> no xconnect 





7.3.1 


7.3.2 


QOS MAPPING FOR A PSEUDOWIRE TUNNEL 


Using QoS mapping 


By default both the EXP field of the pseudowire’s MPLS header and the DSCP field of the soft-GRE 
tunnel’s IP header are 0. It is possible to overrule these by optionally specifying a DSCP and/or EXP value 
or by referencing a globally defined QoS mapping. 


CLI (config-if)> xconnect <if-name> <if-number> peer-ip <peer-ip> 
in-label <in-label> out-label <out-label> 
[exp <exp-value>] [dscp <dscp-value>] 
[qosmap-id <gos-map-id>] 


The EXP value overrules the default value of the EXP field in the MPLS header. Valid values are between 
O and 7. 


The DSCP value specifies the DSCP value within the IP header of the GRE encapsulation. Valid values 
are between 0 and 63. 


A QoS map allows a dynamic mapping of VLAN p-bits to DSCP and EXP bits. It must refer to the ID of a 
globally defined pseudowire QoS map (see below). 


Pseudowire QoS map 


A pseudowire QoS map is defined in global configuration mode and is assigned a unique id. An interface 
in pseudowire mode can use this QoS map by using its QoS map ID. Multiple interfaces may use the same 
pseudowire QoS map. 


To create a pseudowire QoS map and enter in QoS map configuration mode: 


CLI (configure)> xconnect-qos-map <gos-map-id> 
CLI (config-xconnect-—qos-map> 
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Each p-bit must be explicitly mapped to its corresponding EXP and/or DSCP value. Any values that are not 
mapped will use the default EXP and DSCP values for the soft-GRE tunnel. 


CLI (config-xconnect-—gos-map)> map p-bits <value> 
[exp <exp-value>] [dscp <dscp-value> 
To remove an element from the dynamic mapping: 


CLI (config-xconnect-gos-map)> no map p-bits <value> 


To exit the QoS map configuration mode: 
CLI (config-xconnect-—qgos-map) > exit 
CLI (configure) > 

To remove the entire mapping table: 


CLI (configure)> no xconnect-qos-map <qos-map-id> 





7.4 PSEUDOWIRE STATUS MONITORING 


7.4.1 Overview of the active pseudowire configuration 


CLI> show xconnect configuration 
XConnect Configuration Enabled. 


Incoming Interface : GigabitEthernet 0/0.2 
Local IP address e: lye 3e4 

Peer IP address S 28642540 

In Label : 1234 

Out Label : 7890 


Pseudowire configuration on an interface can be viewed by specifying the interface: 


CLI> show xconnect configuration <interface> 


7.4.2 Pseudowire statistics 


CLI> show xconnect statistics 
Xconnect Statistics 
In Packets (Labelled) 
Out Packets (Labelled) 
In Label Mismatch 


0 
0 
0 
Destination Unreachable : 0 


Pseudowire statistics for an interface can be viewed by specifying the interface: 


CLI> show xconnect statistics <interface> 
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8 LAYER 2 CONTROL PROTOCOL (L2CP) TUNNELING 





8.1 L2CP TUNNELING OVERVIEW 


The end-to-end Ethernet pseudowire service (see section 7 above) has to be transparent to the bridge 
protocol data units (BPDUs) exchanged between different devices. For that purpose, layer-2 control 
protocols are carried across the service provider network by means of L2CP tunneling so that the frame 
can pass through the switches of the aggregation network without being processed by those switches. 


L2CP tunneling consists in swapping the BPDU destination MAC address at the ingress device with a 
specific multicast MAC address. Within the network, the modified BPDUs are forwarded as any other data 
frame in the service VLAN without interfering with the network switches. At the egress device the specific 
MAC address is recognized and replaced by the original destination MAC address. 


The figure below illustrates the Layer 2 Control Protocol (L2CP) tunneling. 


Ethernet Frame Ethernet Frame Ethernet Frame Ethernet Frame 


DA MAC: 01:80:C2:00:00:00 DA MAC: 01:0F:E2:00:00:03 DA MAC: 01:0F:E2:00:00:03 DA MAC: 01:80:C2:00:00:00 





Ethernet Service Provider " wet Ethernet 






Network A Network ae Network B 
Ingress Egress 
device device 


Layer 2 Control Protocol (L2CP) tunneling works on Ethernet interfaces and sub-interfaces only along with 
pseudowire encapsulation configuration (xconnect command). 
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8.2 CONFIGURATION OF L2CP PROFILE 


Use the following command in global configuration mode to create a L2CP profile and enter in L2CP profile 
configuration mode: 


CLI (configure) > l2cp-profile <profile-name> 
CLI (config-l2cp-—profile)> 
Use the no form of the command to remove a L2CP profile: 


CLI (configure)> no 12cp-profile <profile-name> 
8.2.1 Destination MAC Configuration 


By default the destination MAC address is 01-00-0c-cd-cd-d0. Use the following command in L2CP profile 
configuration mode to define another destination MAC address: 


CLI (config-l2cp-profile)> destination-mac <mac-—to-use-for-translation> 


Use the following command to return to the default value: 


CLI (config-l2cp-profile)> default destination-mac 
8.2.2 Drop Threshold Configuration 


Use the following command in L2CP profile configuration mode to define drop threshold for rate-limiting the 
packets from CPE side: 


CLI (config-l2cp-profile)> drop-threshold <drop-threshold> 
drop-threshold Is specified as number of packets per second above which packets are dropped; valid 
values are between 1 and 4096. 
Use the no form of the command to disable rate-limiting that way. 


CLI (config-l2cp-profile)> no drop-threshold 
8.2.3 Shutdown Threshold Configuration 


Use the following command in L2CP profile configuration mode to define shutdown threshold for disabling 
the processing of Layer 2 control packets from CPE side if input rate exceeds the threshold. 


CLI (config-l2cp-profile)> shutdown-threshold <shutdown-threshold> 
shutdown-hreshold is specified as number of packets per second above which L2CP is disabled; valid 
values are between 1 and 4096. 

Use the no form of the command to disable rate-limiting that way. 


CLI (config-l2cp-profile)> no shutdown-threshold 
8.2.4 Configuration of L2CP Protocols 


The following command enables a particular processing of a particular layer 2 protocol for tunneling with 
optional configuration of drop and shutdown thresholds. Drop threshold and shutdown thresholds can be 
configured independently with restriction of drop threshold should be always less than or equal to 
shutdown threshold. 


CLI (config-l2cp-profile)> protocol <12-protocol> 
drop-threshold <drop-threshold> 
shutdown-threshold <shutdown-threshold> 


Bridging & LAN User Guide Page 8.2-87 of 89 


ONEOS V4.3R4 /V5.1R3 BRIDGING & LAN USER GUIDE (EDITION 10) 


List of layer-2 protocols that can be configured for tunneling: 


stp Spanning Tree Protocol — STP (IEEE 802.1D) 
pvst Per VLAN Spanning Tree Protocol 
lacp Link Aggregation Control Protocol — LACP (IEEE 802.1AX-2008) 


lacp-marker 


LACP Marker Protocol 


eapol Extensible Authentication Protocol over LANs — EAPOL (IEE 802.1X) 
lldp Link Layer Discovery Protocol — LLDP (IEEE 802.1AB) 

gvrp GARP VLAN Registration Protocol — GVRP (IEEE 802.1ad-2006) 
udld Cisco Unidirectional Link Detection Protocol — UDLD (IETF RFC 5171) 
cdp Cisco Discovery Protocol — CDP 

dtp Cisco Dynamic Trunking Protocol — DTP 

vtp Cisco VLAN Trunking Protocol — VTP 

pagp Cisco Port Aggregation Protocol — PAgP 


cisco-vlan-bridge 
Gi sco-Uplink=fast 


oam 


Cisco VLAN Bridge Protocol 
Cisco UplinkFast Protocol 


OAM (IEE 802.1ag / ITU-T Y.1731) 


drop-threshold Is used for rate-limiting particular protocol packets from CPE. 


shutdown-threshold Is used for disabling processing of particular layer 2 protocol packets if input rate 
exceeds shutdown threshold. 


Thresholds are specified as number of packets per second; valid values are between 1 and 4096. 
The following command disables L2CP tunneling of a particular layer 2 protocol. 


CLI (config-l2cp-profile)> no protocol <12-protocol> 


8.2.5 Configuration of Error recovery interval 


The following command configures frequency of error recovery handler which re-enables the L2CP profile 
instances and protocols disabled after exceeding shutdown threshold. 


CLI (config-l2cp-profile)> error-recovery interval <interval> 


interval Is specified in seconds; valid values are from 30 to 600 (default value is 300.) 


Note that applying shutdown and no-shutdown commands on an interface or sub-interface also re-enables 
the L2CP profile instance as well as protocols disabled after exceeding shutdown threshold on the 
interface. 


8.2.6 Configuring L2CP Profile on an interface 


The following command in interface configuration mode applies a particular L2CP profile on the interface. 
This command is supported on FastEthernet, GigabitEthernet interfaces and sub-interfaces. 


CLI (config-if)> 1l2cp <profile-name> 


Note: OAM processing should be disabled on interface for tunneling OAM packets using L2CP. 


OAM processing can be disabled on interface applying the following command in interface configuration 
mode: 


CLI (config-if)> oam disabled 
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8.3 L2CP PROFILE MONITORING 


8.3.1 Active L2CP Configurations 


The following command in global mode displays configuration of all L2CP profiles and interfaces using this 
profile. Only one profile configuration can be viewed by specifying profile name. 


CLI> show l2cp configuration [<profilel-name>] 


8.3.2 L2CP Statistics 


The following command in global mode displays statistics of instances of all L2CP profiles in the system. 
Statistics of only one profile and instances of the profile can be viewed by specifying profile name. 


CLI> show l2cp statistics [<profilel-name>] 


The following command in global mode clears statistics of all L2CP profiles and instances in the system. 
Statistics of only one profile and instances of the profile can be cleared by specifying profile name. 


CLI> clear 12cp statistics [<profilel-name>] 


8.3.3 L2CP Status 


The following command in global mode displays status of instances of all L2CP profiles in the system. 
Status of only one profile and instances of the profile can be viewed by specifying profile name. 


CLI> show l2cp status [<profilel-name>] 
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